Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Javascript
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jan 2008 17:03:13 +0100

Hello,

fyi: I found the sitecatalyst software running on paypal.com to be
vulnerable to xss in the past. (unfiltered referer url was used as a
javascript value). Omniture/paypal didn't respond to my emails, paypal
fixed the issue after public disclosure.

Regards,
Thomas Pollet

On 14/01/2008, Michael Holstein <michael.holstein () csuohio edu> wrote:

This is from a current CNN home page:

/* SiteCatalyst code version: H.10.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

Omniture is one of (many) sites that do tracking for companies .. like
what your mouse moves over, how long it stays there, how long you view
each page, etc. etc.

This is why you should disable javascript for any site you don't
explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com
*google.com, and a bunch of other stuff you probably don't want).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault