Another Ebay permanent XSS
Written by KF
Tuesday, 13 November 2012
The Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, sent us a new permanent XSS affecting the products listings on Ebay.com.
He explained to us how to reproduce it:
I've found a critical persistent xss bug on ebay. for that you need a seller account "Once you login to your seller account on eBay, create a listing for sale". Now in edit HTML put the xss code: '"--></style></script><script>alert("XSSed by Cyb3R_Shubh4M")</script> and then preview your listing and b00m !
Here is the page where he injected his code:
The mirror is available here:
Which interprets the code in the www.ebay.com domain on all browsers. Mirror: http://www.xssed.com/mirror/79259/
According to the researcher, it also gets executed in the cgi.ebay.com domain when logged in the seller account!
Thanks for sharing this interesting finding!