Persistent XSS bug discovered on eBay

Posted by OpenMindLeader on 2:00 AM
"Once you login to your account on eBay, edit the option "About me".

http://cgi3.ebay.com/ws/eBayISAPI.dll?AboutMeLogin

Now go to :
http://members.ebay.com/ws/eBayISAPI.dll?EditUserPageHTMLSource
and edit with HTML enabled.

Demo URL (My profile):
http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=shell2h4ck

It is also vulnerable to redirection and other normal xss attacks


One of the possible exploitation scenarios is malicious people stealing cleartext credentials from registered users by injecting an iframe tag that retrieves another rogue eBay login page from a remote server.

http://xssed.com/news/125/Persistent_XSS_bug_discovered_on_eBay/

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)