Movatterモバイル変換

[0]ホーム
URL:

Home page logo
fulldisclosure logo

Full Disclosuremailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

PayPal.com XSS Vulnerability

From: Robert Kugler <robert.kugler10 () gmail com>
Date: Fri, 24 May 2013 18:38:44 +0200
Hello all!I'm Robert Kugler a 17 years old German student who's interested insecuring computer systems.I would like to warn you that PayPal.com is vulnerable to a Cross-SiteScripting vulnerability!PayPal Inc. is running a bug bounty program for professional securityresearchers.https://www.paypal.com/us/webapps/mpp/security/reporting-security-issuesXSS vulnerabilities are in scope. So I tried to take part and sent my findto PayPal Site Security.The vulnerability is located in the search function and can be triggeredwith the following javascript code:';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-searchScreenshot:http://picturepush.com/public/13144090Unfortunately PayPal disqualified me from receiving any bounty paymentbecause of being 17 years old...PayPal Site Security:"To be eligible for the Bug Bounty Program, you *must not*:... Be less than 18 years of age.If PayPal discovers that a researcher doesnot meet any of the criteria above, PayPal will remove that researcher fromthe Bug Bounty Program and disqualify them from receiving any bountypayments."I don’t want to allege PayPal a kind of bug bounty cost saving, but it’snot the best idea when you're interested in motivated securityresearchers...Best regards,Robert Kugler
_______________________________________________Full-Disclosure - We believe in it.Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia -http://secunia.com/
PreviousBy DateNext
PreviousBy ThreadNext

Current thread:

[8]ページ先頭
©2009-2025 Movatter.jp