The eBay web site contains a cross-site scripting vulnerability.
eBay is a popular auction web site. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website. More information about cross-site scripting is available in CERT Advisory CA-2000-02.
An attacker may be able to obtain sensitive data from the eBay web site. As of the publication of this document, attackers are using this vulnerability to redirect auction viewers to phishing sites and to modify the eBay auction page to steal credentials. A wide range of impacts may be possible, including disclosure of passwords, credit card numbers, or other personal information. Likewise, information stored in cookies could be stolen or corrupted. An attacker could also exploit web browser vulnerabilities that require scripting support.
We are currently unaware of a practical solution to this problem, however the following workarounds may help mitigate the vulnerability:
Thanks to Dan Plakosh of CERT/CC for reporting this vulnerability.
This document was written by Will Dormann.