|
Full Disclosure
mailing list archives
Re: Javascript
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jan 2008 17:03:13 +0100
Hello,
fyi: I found the sitecatalyst software running on paypal.com to be
vulnerable to xss in the past. (unfiltered referer url was used as a
javascript value). Omniture/paypal didn't respond to my emails, paypal
fixed the issue after public disclosure.
Regards,
Thomas Pollet
On 14/01/2008, Michael Holstein <michael.holstein () csuohio edu> wrote:
This is from a current CNN home page:
/* SiteCatalyst code version: H.10.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */
Omniture is one of (many) sites that do tracking for companies .. like
what your mouse moves over, how long it stays there, how long you view
each page, etc. etc.
This is why you should disable javascript for any site you don't
explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com
*google.com, and a bunch of other stuff you probably don't want).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
