Ebay app. error

Heavyoak · Post by **Heavyoak** » Wed Aug 11, 2010 1:11 pm

* Home >
* My eBay >
* Applications >
* Manage apps >
* Link to UPS WorldShip

going there give me a XSS error and the page only shows "Sorry,Your UPS WorldShip® session on eBay has timed out."

I need an reg. expression to fix this. can someone make it?

Post by **Giorgio Maone** » Wed Aug 11, 2010 2:38 pm

Could you show (PM) me the [NoScript XSS] line(s) you should get in Tools|Error Console (Messages section) when this happens?

Heavyoak · Post by **Heavyoak** » Wed Aug 11, 2010 3:12 pm

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://shipext.ebay.com/upsworldship/home?mid=1&lang=en&country=US&view=canvas&parent=http%3A%2F%2Fcgi6.ebay.com%2Fws%2F&rpctoken=2081496016&env=production&sp=mid%2Clang%2Ccountry%2Cview%2Cparent%2Crpctoken%2Cis%2Cenv%2CstÂ§DATAÂ§PHNjcmlwdD52YXIgZ2FkZ2V0c19sb2NhdGlvbl9ocmVmX292ZXJyaWRlID0gJ2h0dHA6Ly9zaGlwZXh0LmViYXkuY29tL3Vwc3dvcmxkc2hpcC9ob21lP21pZD0xJmxhbmc9ZW4mY291bnRyeT1VUyZ2aWV3PWNhbnZhcyZwYXJlbnQ9aHR0cCUzQSUyRiUyRmNnaTYuZWJheS5jb20lMkZ3cyUyRiZycGN0b2tlbj0yMDgxNDk2MDE2Jic7PC9zY3JpcHQ%2BCjxzY3JpcHQgc3JjPSJodHRwOi8vZ2FkZ2V0cy5hcHBzb25lYmF5LmNvbS9nYWRnZXRzL2pzL2NvcmU6ZHluYW1pYy1oZWlnaHQ6dmlld3MuanM%2Fdj01YTQ0OGE1ZDk4MjBjY2ViOWQ2OWRhODhmZTVhNDliNCYiPjwvc2NyaXB0PjxzY3JpcHQgc3JjPSdodHRwOi8vZ2FkZ2V0cy5hcHBzb25lYmF5LmNvbS9nYWRnZXRzL2pzaS9jb3JlOmR5bmFtaWMtaGVpZ2h0OnZpZXdzLmpzP21pZD0xJmNvbnRhaW5lcj1zZWxsaW5nbWFuYWdlciZsYW5nPWVuJmNvdW50cnk9VVMmdmlldz1jYW52YXMmbWlkPTEmdXJsPWh0dHAlM0ElMkYlMkZjb20uZWJheS51cHMud29ybGRzaGlwJTJGc2VsbGluZ21hbmFnZXImJz48L3NjcmlwdD4%3D] from [http://084bl8a8on8ndqkrbqveilfa7u5t94bu-gadgets.appsonebay.com/gadgets/ifr?container=sellingmanager&mid=1&v=a8f84fa9d9ae9dba4771ffd0c6c02d3&lang=en&country=US&view=canvas&url=http%3A%2F%2Fcom.ebay.ups.worldship%2Fsellingmanager&rt=sellingmanager%3A%2FK%2BAgE0XjHiCHEcjylBRq9TdhCesT35Gzc5Qoye8sYDwBIlHGmxFm0WztB8rbLG3AU5pe%2BmsoOV6MYDWchfza0lBhyhBsebjLyAa6zhW4WBs40Ei4S52xbqYMMWwBhXgGLv9Pw8Yrnd%2FIXM337Co2lcKcJtSWV8iyfGWPEEa7ZONbLvxTSv5Pfa7q07opuNkxJ6%2BGOLvzvnj%2FZuDw1Kt56Co3Tt2FZyOlcRTxaxnre4zZnY2UZS6lZCPqISQaGFJ4pQps8h22jUFflD0wlNNojFMnW6lJFTn7Ol%2BWQyIxtH%2B7Awq&parent=http://cgi6.ebay.com/ws/&sb=http%3A%2F%2Fgadgets.appsonebay.com%2Fgadgets%2F&rpctoken=2081496016]: transformed into a download-only GET request.

there it is.

Post by **Giorgio Maone** » Wed Aug 11, 2010 3:55 pm

Unfortunately this request actually contains a XSS payload, probably benign but very stupid to be sent in a HTTP request.
The Base64 encoded data sent translates, in fact, into not just one, but three full fledged <SCRIPT> blocks, which unavoidably cause NoScript to scream:

Code: Select all

<script>var gadgets_location_href_override = 'http://shipext.ebay.com/upsworldship/home?mid=1&lang=en&country=US&view=canvas&parent=http%3A%2F%2Fcgi6.ebay.com%2Fws%2F&rpctoken=2081496016&';</script>
<script src="http://gadgets.appsonebay.com/gadgets/js/core:dynamic-height:views.js?v=5a448a5d9820cceb9d69da88fe5a49b4&"></script>
<script src='http://gadgets.appsonebay.com/gadgets/jsi/core:dynamic-height:views.js?mid=1&container=sellingmanager&lang=en&country=US&view=canvas&mid=1&url=http%3A%2F%2Fcom.ebay.ups.worldship%2Fsellingmanager&'></script>

If I was you, I'd try to just use the "Unsafe Reload" command when needed and leave exceptions alone, but if you prefer the following exception should work:

Code: Select all

^http://shipext\.ebay\.com/upsworldship/home\?

Heavyoak · Post by **Heavyoak** » Thu Aug 12, 2010 7:40 am

thank you. that works great.

InformAction Forums

Ebay app. error

Ebay app. error

Re: Ebay app. error

Re: Ebay app. error

Re: Ebay app. error

Re: Ebay app. error