[Full-disclosure] PayPal Send Money Cross-Site Scripting Vulnerability
Nathan Power
np at securitypentest.com
Sat Jan 1 20:51:05 GMT 2011
--------------------------------------------------------------------------------
1. Summary:
PayPal's send money feature is affected by an XSS (cross-site scripting)
vulnerability.
--------------------------------------------------------------------------------
2. Description:
When sending money via PayPal, the sender has an option to input a message
along with the money being sent. A malicious attacker can inject XSS code
into this message box because it fails to validate input. When the victim
goes to view the transaction page the injected code will execute.
--------------------------------------------------------------------------------
3. Impact:
Potentially allow an attacker access to a victim’s PayPal account.
--------------------------------------------------------------------------------
4. Affected Products:
www.paypal.com
--------------------------------------------------------------------------------
5. Solution: None
--------------------------------------------------------------------------------
6. Time Table:
12/06/2010 Reported Vulnerability to the Vendor
12/07/2010 Vendor Acknowledge Vulnerability
--------------------------------------------------------------------------------
7. Credits:
Discovered by Nathan Power
www.securitypentest.com
--------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110101/75446e7b/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.