---------- Forwarded message ---------- Date: 10 Dec 2002 12:50:03 -0000 From: Liu Die Yu <liudieyuinchina@yahoo.com.cn> To: bugtraq@securityfocus.com Subject: XSS flaw found at "https://www.e-gold.com" i know bugtraq doesn't accept vulnerability on one site, but the following info is important; please suggest a forum for me to post. ----=======------ XSSatEGOLD-Content-Tech XSS flaw found at "https://www.e-gold.com" technically, it's nothing new. XSS at E-gold is very dangerous. E-gold is one of the most popular way to do international business. and unlike credit card system, e-gold sent, it never comes back. there is no refund policy. so stealing passphrase means stealing real gold. it's important, so i take it seriously. [tested] browser:MSIEv6 time:2002/12/10 UTC+800 [demo] at http://www16.brinkster.com/liudieyu/XSSatEGOLD/XSSatEGOLD-MyPage.htm or http://clik.to/liudieyu ==>XSSatEGOLD or [CODE.URL START] https://www.e-gold.com/acct/historycsv.asp? initial=1xxxx"><SCRIPT>s="You_can_NOT_trust_this_page_if_you_got_if_from_a_ link.____by_LiuDieYu_http://clik.to/liudieyu";w=window.open("https://www.e- gold.com/acct/login.html");setTimeout("w.document.write (s)",150);</SCRIPT>&startmonth=12&startday=4&startyear=1996&endmonth=12&end day=4&endyear=2003&paymentsreceived=1&oldsort=tstamp&page=1 [CODE.URL END] [exp] technically, there is only one thing important for XSS attackers: some CGI can only be found when you are logged in, but they can be reached even if you are not logged in. of course, the module dealing with logged-in users is different from the one dealing with un-logged-in users. so, you have to test in both situations to ensure it's not XSS vulnerable. [contact] http://clik.to/liudieyu ==> "how to contact liu die yu" section [BTW] this flaw can be found easily with FASX at http://clik.to/fasx