PayPal XSS attack from Fraps.com ?

[Ezreal]

Hi all,

I was trying to buy Fraps from http://www.fraps.com.. and after I clicked the paypal button to go and buy it, a noscript message came and said that an xss attack has been blocked. I this true or just a false positive ? The button that I pressed is the white one here : http://www.fraps.com/buy.php

I looked into the console after the xss was blocked and it said something like : "paypal.112.2o7.net : server does not support RFC 5746, see CVE-2009-3555"

paypal.112.207.net ??? What site is that ? and why was it in www.paypal.com ?

Thanks in advance!

[therube]

Just read about 112.207.net ... let me see if I can find it ...

http://forums.mozillazine.org/viewtopic ... #p10139519


Your CVE, https://wiki.mozilla.org/Security:Renegotiation.


Error console show an NoScript entry relating to that XSS problem?
Posting that would help.

[Ezreal]

Just read about 112.207.net ... let me see if I can find it ...

http://forums.mozillazine.org/viewtopic ... #p10139519


Your CVE, https://wiki.mozilla.org/Security:Renegotiation.


Error console show an NoScript entry relating to that XSS problem?
Posting that would help.

I'm not sure exactly what to post.. is this the right thing ?
[NoScript XSS] Sanitized suspicious upload to [https://www.paypal.com/cgi-bin/webscr] from [http://www.fraps.com/buy.php]: transformed into a download-only GET request.

Oh and btw, I did a little test, having PayPal forbidden,

1. PayPal Forbidden in noscript > Clicking on the fraps paypal button > Going to PayPal > Doesn't give me the xss error anymore > Enabling PayPal in noscript > Page looks like this :


2. Having PayPal allowed in noscript > Clicking on the fraps paypal button > Going to PayPal > Gives me an xss error > Page looks like this :

Totally two diferrent pages.. this is really freaking me out..

[Ezreal]

I am now at my work place, same thing happens. This is very weird.. can anyone test this out as well please ? Thanks in advance!

[Ezreal]

Still no replies

[Ezreal]

Anyone out there ?

[Dorel]

It does the same thing on every single paypal button I press, so I guess it's a noscript bug ?

[therube]

That was strange.

The OP's original link was fraps.com. (that is <fraps.com>dot).

Now that loads "fraps.com." (with a dot), but is different from "fraps.com" (no dot) - at least in that both (& separately) "fraps.com." (with a dot) & "fraps.com (no dot) can be allowed in NoScript.


I'm (currently) running an older version of NoScript, 2.0.4, & receive no such XSS warning, regardless of what domains I have Allowed or not.


Other then that, you're going to have to wait for the powers to be to let you know what is going on & whether it is actually OK or not.

[therube]

With NoScript 2.0.6rc2 I am able to generate the XSS warning:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://www.paypal.com/cgi-bin/webscr] from [http://www.fraps.com/buy.php]: transformed into a download-only GET request.