XSS flaw found at "https://www.e-gold.com" (fwd)
eugen at leitl.org
Fri Dec 13 04:51:57 PST 2002
---------- Forwarded message ----------
Date: 10 Dec 2002 12:50:03 -0000
From: Liu Die Yu <liudieyuinchina at yahoo.com.cn>
To: bugtraq at securityfocus.com
Subject: XSS flaw found at "https://www.e-gold.com"
i know bugtraq doesn't accept vulnerability on one site, but the following
info is important; please suggest a forum for me to post.
XSS flaw found at "https://www.e-gold.com"
technically, it's nothing new.
XSS at E-gold is very dangerous. E-gold is one of the most popular way to
do international business. and unlike credit card system, e-gold sent, it
never comes back. there is no refund policy.
so stealing passphrase means stealing real gold.
it's important, so i take it seriously.
technically, there is only one thing important for XSS attackers:
some CGI can only be found when you are logged in, but they can be reached
even if you are not logged in.
of course, the module dealing with logged-in users is different from the
one dealing with un-logged-in users.
so, you have to test in both situations to ensure it's not XSS vulnerable.
http://clik.to/liudieyu ==> "how to contact liu die yu" section
this flaw can be found easily with FASX at
More information about the cypherpunks-legacy