Lets be seriuse for a minuet

[Sparda]

This doesn't seem to have been covered by the FAQ but, are we allowed to publish vunrabilitys we our selfs discover?

[cooper]

I don't see why not. Just make sure you CC the Full Disclosure list.

[VaKo]

I'd say go for it personally, but if there is a takedown notice, it will probally have to be removed...

[armadaender]

I can't see why one shouldn't. For many it could be a learning experience. Post what it is, how it's exploited, how you found it, etc.

Many of us (as far as I know) are white/grey hats and won't take the information and use it for personal gain.

[Sparda]

Fair enough, well, while this is the most basic of basic cross site scripting vunrability I thought it might act as a live primer to the subject.

Has any body herd of the book "The AntiChrist"?

Well, some of you might be interested in buying the book which you can do here: http://www.prophecyhouse.com/order

but why use that order form when you can use sparda's slightly modifiyed one (just click any of the buy links to see what I mean)?

Explination:

This is so simple i'd personaly hardly call it a vunrability. All you have to do is download the origional page and modifiy the obviuse money values and bang, you can have it at any price you want (except negative values becasue paypal provent you from using them).

Question:

How should one go about making the owner of the site aware of there broken unsecurer web site (be sides posting it on digg)?

[VaKo]

Download and run Tor (even better use a hacked WAP and a LiveCD.

Signup for a free webmail account (only ever access it from tor).

Email the site owner, (use every email address on the site) and give a detailed explination of the fault, a suggested fix and explain why this could negativly effect there buisness.

Yeah, this is extreem, but its very unlikely you'll be tracked down.

I'd just email them and make it damn clear you want to help, and this is fixable issue. Hell, its unlikely, but they might even pay you to fix it. Just make sure you use a spell checker for the email though ;-).

[Sparda]

I can't actualy think of a fix for this (with out setting up there own cart on there server) becasue all the values have to be passed to the paypal cart using forms (or that JavaScript thing they give you which is just as easily hackable)...

[VaKo]

Fuckit then... Its not even a good book.

[Sparda]

Funny you should say that... I actualy found this web site as a result of reading one of the legal threats on thepiratebay.org :P

[cooper]

When you buy something using PayPal, the process works like this:

You fill out a form or something on the Shop Website.

You get redirected to PayPay for payment processing using the information on the form.

You tell PayPal to pay the amount it was told (via the form).

PayPal's server will connect to a page on the Shop Website, thus telling it about the transaction it has just serviced, including all relevant info such as currency, amount, and the site tracking number so they know it was YOU that paid.

The Shop Website can now check the data, and either accept or reject the transaction.

You are shown the result of your transaction and then sent back to the shop website now that PayPal has done its thing.

In other words, unless you've used this to order a book, and actually received it for any less than you normally would have to pay, this is an issue that has been dealt with (or at least PayPal's payment method has considered. If the site owner fucked up the implementation, well, that's their problem).

[Sparda]

Thats why when ordering things using a modified amount you should only modifiy the decimal points position. "Oh... the decimal points in the wrong place... must be a typo... oh well *posts books and DVDs*", then there is a good chance the transaction will actualy go through asuming the person proccessing it isn;t that computer littrate.

[jool]

As with all vulnrabilities you should always inform the people it affects first and give them time to repair it. Releasing something ready to be abused without giving them the time to fix it is just irresponsible.

[cooper]

He doesn't know if they're vulnerable yet. He just paid too little and is hoping they don't notice prior to shipping the book.

Unless they're fucktarts, chances are he's going to have a long, hard discussion with them about how he can get his money back (or pay more to actually get the item he requested).

[tx]

def email them sparda... ooor change your modified code to charge 200 dollars for the time being

so n00bs cant use it for '1337 hax0r' reasons :P

[Guest]

As with all vulnrabilities you should always inform the people it affects first and give them time to repair it. Releasing something ready to be abused without giving them the time to fix it is just irresponsible.

The funny thing about doing that is it doesnt always work, im talking from expirience with a large chat software that i use on one of my chats. There is a few bugs that allow people to fully take over the chat that will make them admin on the chat server. I have emailed the people that make this software a few times showing them how to do it and that im willing to help them fix the bugs. But they just ignore me, iv even sent them the passwords to there own admin account on there own server as they host alot of chats with this software, just to show them i wasnt lying about the bugs, but yet they ignore me and do nothing to fix the problem. Its like the fill if they ignore the bug it doesnt exitst. So what would you do in this situation, one dont worry about it and keep the bug to your self, or two make the bugs public knowledge?

[Sparda]

Give them 6 months then make it public, it's the only way to presure them to fix it.

[Guest]

its been longer then 6months and they still dont care. They dont even seem to care that i can go into there server when ever i fill like it and fuck with all there paying cutomers and make my self a chat on there server, they just remove my chat and change there passwords. At one stage i was even removing the paid customers hoping that they will bitch at them enough to make them fix it but that didnt even work.

[cooper]

There is a few bugs that allow people to fully take over the chat that will make them admin on the chat server.

You could make yourself admin on the server, remove all admin rights from all other users that have it, and have them receive a private message from themselves detailing the problem, that you tried to tell them about it and they didn't care. Since they didn't care to fix the issue they probably won't be troubled by this either. Hrmmm?

[Guest]

yeh i done that, but you cant "remove" the admin account or make your own so they think. But for the messaging thing done that.