Page 1 of 1
PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 2:27 am
by Ezreal
Hi all,
I was trying to buy Fraps from
http://www.fraps.com.. and after I clicked the paypal button to go and buy it, a noscript message came and said that an xss attack has been blocked. I this true or just a false positive ? The button that I pressed is the white one here :
http://www.fraps.com/buy.php
I looked into the console after the xss was blocked and it said something like : "paypal.112.2o7.net : server does not support RFC 5746, see CVE-2009-3555"
paypal.112.207.net ??? What site is that ? and why was it in
www.paypal.com ?
Thanks in advance!
Re: PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 5:15 am
by therube
Just read about 112.207.net ... let me see if I can find it ...
http://forums.mozillazine.org/viewtopic ... #p10139519
Your CVE,
https://wiki.mozilla.org/Security:Renegotiation.
Error console show an NoScript entry relating to that XSS problem?
Posting that would help.
Re: PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 7:05 am
by Ezreal
I'm not sure exactly what to post.. is this the right thing ?
[NoScript XSS] Sanitized suspicious upload to [
https://www.paypal.com/cgi-bin/webscr] from [
http://www.fraps.com/buy.php]: transformed into a download-only GET request.
Oh and btw, I did a little test, having PayPal forbidden,
1. PayPal Forbidden in noscript > Clicking on the fraps paypal button > Going to PayPal > Doesn't give me the xss error anymore > Enabling PayPal in noscript > Page looks like this :
2. Having PayPal allowed in noscript > Clicking on the fraps paypal button > Going to PayPal > Gives me an xss error > Page looks like this :
Totally two diferrent pages.. this is really freaking me out..
Re: PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 7:38 am
by Ezreal
I am now at my work place, same thing happens. This is very weird.. can anyone test this out as well please ? Thanks in advance!
Re: PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 1:01 pm
by Ezreal
Still no replies
Re: PayPal XSS attack from Fraps.com ?
Posted: Thu Nov 18, 2010 8:15 pm
by Ezreal
Anyone out there ?
Re: PayPal XSS attack from Fraps.com ?
Posted: Fri Nov 19, 2010 1:07 pm
by Dorel
It does the same thing on every single paypal button I press, so I guess it's a noscript bug ?
Re: PayPal XSS attack from Fraps.com ?
Posted: Fri Nov 19, 2010 3:17 pm
by therube
That was strange.
The OP's original link was fraps.com. (that is <fraps.com>dot).
Now that loads "fraps.com." (with a dot), but is different from "fraps.com" (no dot) - at least in that both (& separately) "fraps.com." (with a dot) & "fraps.com (no dot) can be allowed in NoScript.
I'm (currently) running an older version of NoScript, 2.0.4, & receive no such XSS warning, regardless of what domains I have Allowed or not.
Other then that, you're going to have to wait for the powers to be to let you know what is going on & whether it is actually OK or not.
Re: PayPal XSS attack from Fraps.com ?
Posted: Fri Nov 19, 2010 3:26 pm
by therube
With NoScript 2.0.6rc2 I am able to generate the XSS warning:
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://www.paypal.com/cgi-bin/webscr] from [http://www.fraps.com/buy.php]: transformed into a download-only GET request.