Re: Cross site scripting @verisign.com and @cybercash.com

From: KF (dotslash@snosoft.com)
Date: 04/22/02


Date: Mon, 22 Apr 2002 09:31:55 -0400
From: KF <dotslash@snosoft.com>
To: kristalaz <kristalaz@tdd.lt>

No this IS a hole in their side becuase their server attempts to
generate an error message based on the url supplyed by the user... Also
someone else confirmed that there was an issue with this site in the
past allowing credit card info to be gleaned via javascript...

The issue you refer to is specific to the about: protocol... if I go to
any other http:// sites and append some java script I do not have the
same issue I get the standard 404 instead... the issue lies in the
generation of the error message on the cybercash.com side.

http://www.cybercash.com/%3Cblah

Sorry

*The document you have requested does not exist on this system.* Please
check the URL and try again or use the site map below to find the
information you are looking for.

If you believe you have received this message in error, write to support
at support@verisign.com <mailto:support@verisign.com> . Include the
error code and brief description of what you were doing when you
received this error.
<br>

*File:* /%253Cblah
<----------------------------------- Problem lies here.
*Error:* 404 - Not Found

Note the error File: (Insert javascript here)
-KF

kristalaz wrote:

>I don4t think that this is a bug in theirs servers, because if you try this
>"about:<script>alert('hi')</script>" write in your adress at IE >4.0, you
>will see that its a IE bug, because this site is generated by browser
>------
>kristalaz
>kristalaz@yahoo.com
>http://linux.tinkle.lt
>
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>
>