NoScript filtered a potential XSS attempt from Yahoo

[Guest]

Hi everyone

Recently I've been getting these notifications from NoScript when I want to sign out of my Yahoo account. I believe it started happening after the last update. My current version is 2.6.3. I also get these notifications sometimes when I try to sign in to eBay.

I'm not sure if it is safe to post the whole error code here. I will just post the beginning.

[NoScript XSS] Sanitized suspicious upload to [https://oneid.ebay.com/_oneid/oi...........(for ebay)

[NoScript XSS]: sanitized window.name, "clean=iframeHolder&dest=adFrame............(for yahoo)

This is not really causing any problems for me, but I want to know if it is something that I need to worry about?

Any help would be appreciated

Cheers,

[therube]

If you could post the entire message inside

Code: Select all

 tags.

[Thrawn]

Or, if you're concerned about sensitive info in the url, you can send it to a moderator via private message.

[therube]

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://oneid.ebay.com/_oneid/oi###DATA###%257B%2522uuid%2522%2520%253A%2520%2522006636e5-1ae0-4083-a8...ftag%2522%2520%253A%2520%2522AQAAATqfhJnkAAUxM2FiM...%2522%252C%2522tz%2522%2520%253A%2520%2522480%2522%252C%2522sc%2522%2520%253A%2520%2522684x1216x24x654x1216%2522%252C%2522ua%2522%2520%253A%2520%2522Mozilla%252F5.0%2520%28Windows%2520NT%25206.1%253B%2520WOW64%253B%2520rv%253A17.0%29%2520Gecko%252F20100101%2520Firefox%252F17.0%2522%252C%2522psv%2522%2520%253A%2520%252220100101%2522%252C%2522plat%2522%2520%253A%2520%2522Win32%2522%252C%2522lang%2522%2520%253A%2520%2522en-US%2522%252C%2522blang%2522%2520%253A%2520%2522na%2522%252C%2522slang%2522%2520%253A%2520%2522na%2522%252C%2522fonts%2522%2520%253A%2520%2522Aharoni%252CAndalus%252CAngsana%2520New%252CAngsanaUPC%252CAparajita%252CArabic%2520Transparent%252CArabic%2520Typesetting%252CArial%252CArial%2520Baltic%252CArial%2520Black%252CArial%2520CE%252CArial%2520CYR%252CArial%2520Greek%252CArial%2520Narrow%252CArial%2520TUR%252CBatang%252CBatangChe%252CBook%2520Antiqua%252CBookman%2520Old%2520Style%252CBookshelf%2520Symbol%25207%252CBrowallia%2520New%252CBrowalliaUPC%252CCalibri%252CCambria%252CCambria%2520Math%252CCandara%252CCentury%252CComic%2520Sans%2520MS%252CConsolas%252CConstantia%252CCorbel%252CCordia%2520New%252CCordiaUPC%252CCourier%2520New%252CCourier%2520New%2520Baltic%252CCourier%2520New%2520CE%252CCourier%2520New%2520CYR%252CCourier%2520New%2520Greek%252CCourier%2520New%2520TUR%252CDaunPenh%252CDavid%252CDFKai-SB%252CDilleniaUPC%252CDokChampa%252CDotum%252CDotumChe%252CEbrima%252CEstrangelo%2520Edessa%252CEucrosiaUPC%252CEuphemia%252CFangSong%252CFranklin%2520Gothic%2520Medium%252CFrankRuehl%252CFreesiaUPC%252CGabriola%252CGaramond%252CGautami%252CGeorgia%252CGisha%252CGulim%252CGulimChe%252CGungsuh%252CGungsuhChe%252CHanzel%2520Extended%252CImpact%252CIrisUPC%252CIskoola%2520Pota%252CJasmineUPC%252CKaiTi%252CKalinga%252CKartika%252CKhmer%2520UI%252CKodchiangUPC%252CKokila%252CLao%2520UI%252CLatha%252CLeelawadee%252CLevenim%2520MT%252CLilyUPC%252CLucida%2520Console%252CLucida%2520Sans%2520Unicode%252CMalgun%2520Gothic%252CMangal%252CMarlett%252CMeiryo%252CMeiryo%2520UI%252CMicrosoft%2520Himalaya%252CMicrosoft%2520JhengHei%252CMicrosoft%2520New%2520Tai%2520Lue%252CMicrosoft%2520PhagsPa%252CMicrosoft%2520Sans%2520Serif%252CMicrosoft%2520Tai%2520Le%252CMicrosoft%2520Uighur%252CMicrosoft%2520YaHei%252CMicrosoft%2520Yi%2520Baiti%252CMingLiU%252CMingLiU-ExtB%252CMingLiU_HKSCS%252CMingLiU_HKSCS-ExtB%252CMiriam%252CMiriam%2520Fixed%252CMongolian%2520Baiti%252CMonotype%2520Corsiva%252CMoolBoran%252CMS%2520Gothic%252CMS%2520Mincho%252CMS%2520PGothic%252CMS%2520PMincho%252CMS%2520Reference%2520Sans%2520Serif%252CMS%2520Reference%2520Specialty%252CMS%2520UI%2520Gothic%252CMV%2520Boli%252CNarkisim%252CNSimSun%252CNyala%252CPalatino%2520Linotype%252CPlantagenet%2520Cherokee%252CPMingLiU%252CPMingLiU-ExtB%252CRaavi%252CRod%252CSakkal%2520Majalla%252CSegoe%2520Print%252CSegoe%2520Script%252CSegoe%2520UI%252CSegoe%2520UI%2520Light%252CSegoe%2520UI%2520Semibold%252CSegoe%2520UI%2520Symbol%252CShonar%2520Bangla%252CShruti%252CSimHei%252CSimplified%2520Arabic%252CSimplified%2520Arabic%2520Fixed%252CSimSun%252CSimSun-ExtB%252CSylfaen%252CSymbol%252CTahoma%252CTimes%2520New%2520Roman%252CTimes%2520New%2520Roman%2520Baltic%252CTimes%2520New%2520Roman%2520CE%252CTimes%2520New%2520Roman%2520CYR%252CTimes%2520New%2520Roman%2520Greek%252CTimes%2520New%2520Roman%2520TUR%252CTraditional%2520Arabic%252CTrebuchet%2520MS%252CTunga%252CUtsaah%252CVani%252CVerdana%252CVijaya%252CVrinda%252CWebdings%252CWingdings%252CWingdings%25202%252CWingdings%25203%2522%252C%2522pluginsDetails%2522%2520%253A%2520%255B%257B%2520%2522name%2522%253A%2520%2522AliWangWang%2520Plug-In%2520For%2520Firefox%2520and%2520Netscape%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CMozilla%2520Firefox%255Cplugins%255Cnpwangwang.dll%2522%252C%2520%2522version%2522%253A%2520%25221.0.0.3%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fww-plugin%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522dll%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522AliWangWang%2520Plug-In%2520For%2520Firefox%2520and%2520Netscape%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255Ctrademanager%255Cnpwangwang.dll%2522%252C%2520%2522version%2522%253A%2520%25221.0.0.3%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fww-plugin%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522dll%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522Foxit%2520Reader%2520Plugin%2520for%2520Mozilla%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CFoxit%2520Software%255CFoxit%2520Reader%255Cplugins%255CnpFoxitReaderPlugin.dll%2522%252C%2520%2522version%2522%253A%2520%25222.2.1.530%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fpdf%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522pdf%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522NVIDIA%25203D%2520VISION%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CNVIDIA%2520Corporation%255C3D%2520Vision%255Cnpnv3dvstreaming.dll%2522%252C%2520%2522version%2522%253A%2520%25227.17.12.5964%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fmozilla-3DV-streaming-plugin%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522rts%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522NVIDIA%25203D%2520Vision%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CNVIDIA%2520Corporation%255C3D%2520Vision%255Cnpnv3dv.dll%2522%252C%2520%2522version%2522%253A%2520%25227.17.12.5964%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522image%252Fjps%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522jps%2522%2520%257D%252C%257B%2520%2522type%2522%253A%2520%2522image%252Fpns%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522pns%2522%2520%257D%252C%257B%2520%2522type%2522%253A%2520%2522image%252Fmpo%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522mpo%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522Shockwave%2520Flash%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CWindows%255CSysWOW64%255CMacromed%255CFlash%255CNPSWF32_11_4_402_287.dll%2522%252C%2520%2522version%2522%253A%2520%252211.4.402.287%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fx-shockwave-flash%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522swf%2522%2520%257D%252C%257B%2520%2522type%2522%253A%2520%2522application%252Ffuturesplash%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522spl%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522TradeManager%2520Plug-In%2520For%2520Firefox%2520and%2520Netscape%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CMozilla%2520Firefox%255Cplugins%255Cnptrademanager.dll%2522%252C%2520%2522version%2522%253A%2520%25221.0.0.1%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fatm-plugin%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522dll%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522TradeManager%2520Plug-In%2520For%2520Firefox%2520and%2520Netscape%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255Ctrademanager%255Cnptrademanager.dll%2522%252C%2520%2522version%2522%253A%2520%25221.0.0.1%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fatm-plugin%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522dll%2522%2520%257D%255D%257D%252C%257B%2520%2522name%2522%253A%2520%2522Yahoo%2520Application%2520State%2520Plugin%2522%252C%2520%2522file%2522%253A%2520%2522C%253A%255CProgram%2520Files%2520%28x86%29%255CYahoo%21%255CShared%255CnpYState.dll%2522%252C%2520%2522version%2522%253A%2520%25221.0.0.7%2522%252C%2520%2522mime%2522%253A%2520%255B%257B%2520%2522type%2522%253A%2520%2522application%252Fx-vnd.yahoo.applicationState%2522%252C%2520%2522suffixes%2522%2520%253A%2520%2522npYState%2522%2520%257D%255D%257D%255D%257D] from [https://signin.ebay.ca/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=2&ru=http%3A%2F%2Fsignin.ebay.ca%2Fws%2FeBayISAPI.dll%3FChangePasswordAndCreateHint%26guest%3D1&pp=pass&pageType=708&i1=0]: transformed into a download-only GET request.

This happened in version 2.6.3, I updated yesterday and haven't had a problem yet.
btw is there any sensitive info stored in these codes?

> sensitive info

No, I don't think so.

Cleaned up a bit (though it'll be ugly posted here ). That sure is a mess, whats being sent. I'll leave it for others to figure it out.
(Oh & your Adobe Flash is well out of date & should be updated.)
(Oh & Yahoo Application State Plugin looks to be on the blocklist.)

Code: Select all

https://oneid.ebay.com/_oneid/oi###DATA###	
uuid
006636e5-1ae0-4083-a8...
ftag
AQAAATqfhJnkAAUxM2FiM...
tz
480
sc
684x1216x24x654x1216
ua
Mozilla	5.0	%28Windows	NT	6.1		WOW64		rv	17.0%29	Gecko	20100101	Firefox	17.0
psv
20100101
plat
Win32
lang
en-US
blang
na
slang
na
fonts
Aharoni	Andalus	Angsana	New	AngsanaUPC	Aparajita	Arabic	Transparent	Arabic	Typesetting	Arial	Arial	Baltic	Arial	Black	Arial	CE	Arial	CYR	Arial	Greek	Arial	Narrow	Arial	TUR	Batang	BatangChe	Book	Antiqua	Bookman	Old	Style	Bookshelf	Symbol	7	Browallia	New	BrowalliaUPC	Calibri	Cambria	Cambria	Math	Candara	Century	Comic	Sans	MS	Consolas	Constantia	Corbel	Cordia	New	CordiaUPC	Courier	New	Courier	New	Baltic	Courier	New	CE	Courier	New	CYR	Courier	New	Greek	Courier	New	TUR	DaunPenh	David	DFKai-SB	DilleniaUPC	DokChampa	Dotum	DotumChe	Ebrima	Estrangelo	Edessa	EucrosiaUPC	Euphemia	FangSong	Franklin	Gothic	Medium	FrankRuehl	FreesiaUPC	Gabriola	Garamond	Gautami	Georgia	Gisha	Gulim	GulimChe	Gungsuh	GungsuhChe	Hanzel	Extended	Impact	IrisUPC	Iskoola	Pota	JasmineUPC	KaiTi	Kalinga	Kartika	Khmer	UI	KodchiangUPC	Kokila	Lao	UI	Latha	Leelawadee	Levenim	MT	LilyUPC	Lucida	Console	Lucida	Sans	Unicode	Malgun	Gothic	Mangal	Marlett	Meiryo	Meiryo	UI	Microsoft	Himalaya	Microsoft	JhengHei	Microsoft	New	Tai	Lue	Microsoft	PhagsPa	Microsoft	Sans	Serif	Microsoft	Tai	Le	Microsoft	Uighur	Microsoft	YaHei	Microsoft	Yi	Baiti	MingLiU	MingLiU-ExtB	MingLiU_HKSCS	MingLiU_HKSCS-ExtB	Miriam	Miriam	Fixed	Mongolian	Baiti	Monotype	Corsiva	MoolBoran	MS	Gothic	MS	Mincho	MS	PGothic	MS	PMincho	MS	Reference	Sans	Serif	MS	Reference	Specialty	MS	UI	Gothic	MV	Boli	Narkisim	NSimSun	Nyala	Palatino	Linotype	Plantagenet	Cherokee	PMingLiU	PMingLiU-ExtB	Raavi	Rod	Sakkal	Majalla	Segoe	Print	Segoe	Script	Segoe	UI	Segoe	UI	Light	Segoe	UI	Semibold	Segoe	UI	Symbol	Shonar	Bangla	Shruti	SimHei	Simplified	Arabic	Simplified	Arabic	Fixed	SimSun	SimSun-ExtB	Sylfaen	Symbol	Tahoma	Times	New	Roman	Times	New	Roman	Baltic	Times	New	Roman	CE	Times	New	Roman	CYR	Times	New	Roman	Greek	Times	New	Roman	TUR	Traditional	Arabic	Trebuchet	MS	Tunga	Utsaah	Vani	Verdana	Vijaya	Vrinda	Webdings	Wingdings	Wingdings	2	Wingdings	3
pluginsDetails
name
AliWangWang	Plug-In	For	Firefox	and	Netscape
file
C		Program	Files	%28x86%29	Mozilla	Firefox	plugins	npwangwang.dll
version
1.0.0.3
mime
type
application	ww-plugin
suffixes
dll
name
AliWangWang	Plug-In	For	Firefox	and	Netscape
file
C		Program	Files	%28x86%29	trademanager	npwangwang.dll
version
1.0.0.3
mime
type
application	ww-plugin
suffixes
dll
name
Foxit	Reader	Plugin	for	Mozilla
file
C		Program	Files	%28x86%29	Foxit	Software	Foxit	Reader	plugins	npFoxitReaderPlugin.dll
version
2.2.1.530
mime
type
application	pdf
suffixes
pdf
name
NVIDIA	3D	VISION
file
C		Program	Files	%28x86%29	NVIDIA	Corporation	3D	Vision	npnv3dvstreaming.dll
version
7.17.12.5964
mime
type
application	mozilla-3DV-streaming-plugin
suffixes
rts
name
NVIDIA	3D	Vision
file
C		Program	Files	%28x86%29	NVIDIA	Corporation	3D	Vision	npnv3dv.dll
version
7.17.12.5964
mime
type
image	jps
suffixes
jps
type
image	pns
suffixes
pns
type
image	mpo
suffixes
mpo
name
Shockwave	Flash
file
C		Windows	SysWOW64	Macromed	Flash	NPSWF32_11_4_402_287.dll
version
11.4.402.287
mime
type
application	x-shockwave-flash
suffixes
swf
type
application	futuresplash
suffixes
spl
name
TradeManager	Plug-In	For	Firefox	and	Netscape
file
C		Program	Files	%28x86%29	Mozilla	Firefox	plugins	nptrademanager.dll
version
1.0.0.1
mime
type
application	atm-plugin
suffixes
dll
name
TradeManager	Plug-In	For	Firefox	and	Netscape
file
C		Program	Files	%28x86%29	trademanager	nptrademanager.dll
version
1.0.0.1
mime
type
application	atm-plugin
suffixes
dll
name
Yahoo	Application	State	Plugin
file
C		Program	Files	%28x86%29	Yahoo%21	Shared	npYState.dll
version
1.0.0.7
mime
type
application	x-vnd.yahoo.applicationState
suffixes
npYState

from https://signin.ebay.ca/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=2&ru=http%3A%2F%2Fsignin.ebay.ca%2Fws%2FeBayISAPI.dll%3FChangePasswordAndCreateHint%26guest%3D1&pp=pass&pageType=708&i1=0 transformed into a download-only GET request.

[Thrawn]

Wow. They're passing an essay in the query string. I'm not sure whether it's likely to be vulnerable to XSS attacks, but with all the data in there, probably.

[Guest]

googled: tcpview
clicked (details below)
ended up at sysinternals.microsoft.com

is this clickjacking, if it ends up sysints.. com ends up at microsoft com page?

TCPView - Sysinternals - private
www.sysinternals.com/Utilities/TcpView.html
A description for this result is not available because of this site's robots.txt - private – learn more - private.

[therube]

MS bought Sysinternals.
Sysinternals is fine. (Can't say the same about MS .)

[Gamma]

Cleaned up a bit (though it'll be ugly posted here ). That sure is a mess, whats being sent. I'll leave it for others to figure it out.
(Oh & your Adobe Flash is well out of date & should be updated.)
(Oh & Yahoo Application State Plugin looks to be on the blocklist.)

I updated Adobe Flash. Currently it is version 11.5.r502
I disable the plugins that don't seem to be useful. Should I enable the Yahoo Plugin?

One more thing, before I started getting this error, eBay sent me an email telling me my account is compromised and I need to reset my password. I'm pretty sure that my account wasn't hijacked through a phishing attempt or a key-logger. I contacted eBay and they told me that someone was trying to access my account from Romania. Do you think it could have been an XSS attack?

As I mentioned after updating to version 2.6.4.1 I haven't been getting any notifications.

Thanks again for your help

Cheers,