Hi malware fighters,
The recent cross-site scripting-filter inside Internet Explorer 8 does not protect against recent security leaks on Paypal and eBay websites, users of the NoScript extension for Firefox does not have to worry. Through these cross-site scripting (XSS) vulnerabilities attackers can steal authentication data and other sensitive information and even carry out financial transactions on account of the victim, according to Giorgio Maone, the developer of NoScript. He says MS has copied all sort of features of NoScript and added these to their own browser. “When MS launched the IE8 XSS-filter a year ago, it was striking to see that despite the similarity to NoScript’s anti-XSS protection, it was rather limited in outlay.”
The IE filter only protects against “type 1” XSS-attacks, but cannot handle “type 0” variants, according to Maone. The vulnerabilities in the two extremely popular websites have been found up by the “Team Elite” hacker-group:
http://nemesis.te-home.net/News/20090518_PAYPAL_and_EBAY_still_Vulnerable_to_XSS__.html
These bugs have been reported a couple of days ago, but other new bugs are easily to be found.
Via these holes it is possible to inject iFrames and other such malcode.
Exclusive hole.
According to Maone the hole in the websites are remarkable, because only IE is vulnerable.
“All modern browsers, except IE, encode request URLs in the right manner, before they are being sent.
Abuse of this specific PayPal hole demands that the “double quotes” character is being passed on without encoding.
While most XSS exploits are browser independent, this one just works only in IE.”
Re: http://hackademix.net/2009/05/19/paypal-xss-an-ie-exclusive/
We do know that XSS exploits are a responsibility of the website owner/webmaster, but that does not help the browser user if webmasters and website owners or hosting parties are ignorant,
polonus