eBay contains a cross-site scripting vulnerability

2006-04-03T00:00:00
ID VU:808921
Type cert
Reporter CERT
Modified 2006-05-02T15:04:00

Description

Overview

The eBay web site contains a cross-site scripting vulnerability.

Description

eBay is a popular auction web site. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website. More information about cross-site scripting is available in CERT Advisory CA-2000-02.


Impact

An attacker may be able to obtain sensitive data from the eBay web site. As of the publication of this document, attackers are using this vulnerability to redirect auction viewers to phishing sites and to modify the eBay auction page to steal credentials. A wide range of impacts may be possible, including disclosure of passwords, credit card numbers, or other personal information. Likewise, information stored in cookies could be stolen or corrupted. An attacker could also exploit web browser vulnerabilities that require scripting support.


Solution

We are currently unaware of a practical solution to this problem, however the following workarounds may help mitigate the vulnerability:


Disable scripting

Disable scripting in your web browser, as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ. This can also be accomplished by adding "ebay.com" to the Restricted Sites zone in Internet Explorer. Users of Mozilla-based browsers can use Configurable Security Policies (CAPS) to disable scripting for the "ebay.com" web site.

Validate web site addresses

When interacting with web sites, pay close attention to the web site address displayed by the browser. Especially when providing login information, make sure the web browser is displaying the proper URL, as described in the eBay Spoof Email Tutorial and US-CERT Cyber Security Tip ST04-014.

Validate web site certificates

Web sites may require sensitive information such as passwords or credit card information. In these cases, make sure the web site is using an encrypted (HTTPS) connection. Validate the web site certificate, as described in US-CERT Cyber Security Tip ST05-010.


Vendor Information

808921

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ eBay

Notified: March 01, 2006 Updated: April 02, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.cert.org/advisories/CA-2000-02.html>
  • <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
  • <http://www.us-cert.gov/cas/tips/ST04-014.html>
  • <http://www.us-cert.gov/cas/tips/ST05-010.html>
  • <http://pages.ebay.com/education/spooftutorial/spoof_3.html>
  • <http://pages.ebay.com/help/policies/listing-javascript.html>
  • <http://pages.ebay.com/securitycenter/>
  • <http://news.com.com/2100-7349_3-6056687.html>
  • <http://news.com.com/2100-1017-224622.html>

Acknowledgements

Thanks to Dan Plakosh of CERT/CC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: | None
---|---
CERT Advisory: | CA-2000-02
Severity Metric:** | 9.58
Date Public:
| 1999-04-19
Date First Published: | 2006-04-03
Date Last Updated: | 2006-05-02 15:04 UTC
Document Revision: | 18