New XSS flaws within eBay sites
Written by DP
Tuesday, 27 May 2008
Updated: 27/05 - 17:58
eBay is again XSSed! Scammers can take advantage of these new critical cross-site scripting issues.
The affected domains are the following (and possibly more):
The XSS issues were submitted by Genosite, S_e_YM_e_N, www.r3t.n3t.nl and Uber0n.
eBay has been XSSed multiple times in the past:
We hope that all eBay XSS issues get fixed quickly for the sake of their user's privacy and security.
Quoting from a PC World news article titled "How To Avoid Falling Into The Phishing Hole" :
This vector works:
<SCRIPT>if (top == window)location.href = 'http://www.xssed.com'</SCRIPT>
eBay lied... :-/
"eBay Account Phishing with eBay Redirect - Ebay fixed this + related XSS hole" - Roger Anton & Steven, 31-03-05
"How To Avoid Falling Into The Phishing Hole" - Tom Spring, PC World, 09-04-07