Один 17-ти летний подросток из Германии нашел уязвимость сайта Paypal.com. Вызвать глюк можно воспользовавшись функцией поиска на сайте если вставить туда определенный Javascript-код:
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Роберт Кугле (17-ти летний подросток) отправил информацию о данной уязвимости, в своотвествии с инструкциями на сайте Paypal для профессианалов, которые специализируются на поиске багов. В ответ Роберт получил дисквалификацию, т.к. участниками программы вознаграждения могут быть только лица не моложе 18-ти лет. Данный ответ обидел юного хакера, после чего он опубликовал уязвимость в открытом доступе.
Нужно заметить, что аналогичные программы от Google или Mozilla позволяют принимать участие даже школьникам, правда с согласия родителей.
Стоило ли представителям paypal выплатить вознаграждение нашему хакеру? Правильно ли участие несовершеннолетних в такого рода программах? Интересно узнать мнение наших читателей.
Joomla! Debug Console
session.client.browser ⇒ Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
password_clear ⇒
groups ⇒
session.token ⇒ 0f3a9f948416d8d2245ac908c821a430
6.15 MB (6,448,360 Bytes)
70 Queries Logged
SELECT m.id, m.menutype, m.title, m.alias, m.note, m.path AS route, m.link, m.type, m.level, m.language,m.browserNav, m.access, m.params, m.home, m.img, m.template_style_id, m.component_id, m.parent_id,e.element as component
FROM j25_menu AS m
LEFT JOIN j25_extensions AS e
ON m.component_id = e.extension_id
WHERE m.published = 1
AND m.parent_id > 0
AND m.client_id = 0
ORDER BY m.lftSHOW FULL COLUMNS
FROM `j25_easyblog_configs`SELECT *
FROM j25_easyblog_configs
WHERE `name` = 'config'SHOW FULL COLUMNS
FROM `j25_easyblog_post`SELECT a.`id`
FROM j25_easyblog_post as a
WHERE a.`permalink` = 'xss:uyazvimost-paypal-com'SELECT a.`id`
FROM j25_easyblog_post as a
WHERE a.`permalink` = 'xss-uyazvimost-paypal-com'SELECT *
FROM j25_easyblog_post
WHERE `id` = '171'DELETE
FROM `j25_easyblog_mailq`
WHERE `status`='1'
AND DATEDIFF(NOW(), `created`) >= 7SELECT `id`
FROM `j25_easyblog_mailq`
WHERE `status` = 0
ORDER BY `created` ASC
LIMIT 5SELECT *
FROM `j25_easyblog_post`
WHERE `publish_up` <= '2025-05-15 07:25:52'
AND `published` = '2'
AND `ispending` = '0'
ORDER BY `id`
LIMIT 5UPDATE `j25_easyblog_post`
SET `published` = '0'
WHERE `publish_down` > `publish_up`
AND `publish_down` <= '2025-05-15 07:25:52'
AND `publish_down` != '0000-00-00 00:00:00'
AND `published` != '0'
AND `published` != '3'
AND `ispending` = '0'SHOW FULL COLUMNS
FROM `j25_assets`SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT b.rules
FROM j25_assets AS a
LEFT JOIN j25_assets AS b
ON b.lft <= a.lft
AND b.rgt >= a.rgt
WHERE (a.id = 1)
GROUP BY b.id, b.rules, b.lft
ORDER BY b.lftSELECT b.id
FROM j25_usergroups AS a
LEFT JOIN j25_usergroups AS b
ON b.lft <= a.lft
AND b.rgt >= a.rgt
WHERE a.id = 1SHOW FULL COLUMNS
FROM `j25_easyblog_users`SELECT COUNT(*)
FROM `j25_easyblog_configs`
WHERE `name` = 'default'SELECT *
FROM j25_easyblog_configs
WHERE `name` = 'default'SELECT *
FROM `j25_easyblog_acl`
WHERE `published`=1
ORDER BY `id` ASCSELECT *
FROM `j25_easyblog_acl_group`
WHERE `content_id`='1'
AND `type`='
group'SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT id, keywords, description, indexing
FROM `j25_easyblog_meta`
WHERE content_id = '171'
and type = 'post'SELECT *
FROM j25_easyblog_post
WHERE `id` = '171'SHOW FULL COLUMNS
FROM `j25_easyblog_category`SELECT *
FROM j25_easyblog_category
WHERE `id` = '2'SELECT COUNT(1)
FROM `j25_easyblog_category`
WHERE `alias`='news'
AND `id`!='2'SELECT *
FROM j25_easyblog_post
WHERE `id` = '171'SELECT *
FROM j25_easyblog_category
WHERE `id` = '2'SELECT COUNT(1)
FROM `j25_easyblog_category`
WHERE `alias`='news'
AND `id`!='2'SHOW FULL COLUMNS
FROM `j25_discuss_users_history`INSERT INTO `j25_discuss_users_history` (`user_id`,`title`,`command`,`created`,`content_id`)
VALUES ('0','Viewed blog post, XSS уязвимость paypal.com.','easyblog.view.blog','2025-05-15 07:25:52','0')UPDATE j25_easyblog_post
SET `hits` = (`hits` + 1)
WHERE id = '171'SHOW FULL COLUMNS
FROM `j25_komento_configs`SELECT *
FROM j25_komento_configs
WHERE `component` = 'com_komento'SELECT COUNT(1)
FROM `j25_easyblog_featured`
WHERE `content_id` = '171'
AND `type` = 'post'SELECT a.`id`, a.`title`, a.`alias`
FROM `j25_easyblog_tag` AS a
LEFT JOIN `j25_easyblog_post_tag` AS b
ON a.`id` = b.`tag_id`
WHERE b.`post_id` = '171'
AND a.`published` = '1'
ORDER BY a.`title` ASCSELECT *
FROM j25_easyblog_users
WHERE `id` = '81'SHOW FULL COLUMNS
FROM `j25_users`SELECT *
FROM `j25_users`
WHERE `id` = 81SELECT `g`.`id`,`g`.`title`
FROM `j25_usergroups` AS g
INNER JOIN `j25_user_usergroup_map` AS m
ON m.group_id = g.id
WHERE `m`.`user_id` = 81SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT *
FROM j25_easyblog_category
WHERE `id` = '2'SELECT COUNT(1)
FROM `j25_easyblog_category`
WHERE `alias`='news'
AND `id`!='2'SELECT `title`
FROM `j25_easyblog_category`
WHERE `id` = '2'SHOW FULL COLUMNS
FROM `j25_easyblog_tag`SELECT *
FROM j25_easyblog_tag
WHERE `id` = '6'SELECT COUNT(1)
FROM `j25_easyblog_tag`
WHERE `alias`='bezopasnost'
AND `id`!='6'SELECT id
FROM j25_assets
WHERE parent_id = 0SELECT *
FROM j25_tagmeta_rules
WHERE ( ( ('/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP BINARY url)>0
AND (case_sensitive<>0)
AND (decode_url<>0)
AND (request_only<>0) ) OR ( ('/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP BINARY url)>0
AND (case_sensitive<>0)
AND (decode_url=0)
AND (request_only<>0) ) OR ( ('https://networkdoc.ru/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP BINARY url)>0
AND (case_sensitive<>0)
AND (decode_url<>0)
AND (request_only=0) ) OR ( ('https://networkdoc.ru/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP BINARY url)>0
AND (case_sensitive<>0)
AND (decode_url=0)
AND (request_only=0) ) OR ( ('/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP url)>0
AND (case_sensitive=0)
AND (decode_url<>0)
AND (request_only<>0) ) OR ( ('/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP url)>0
AND (case_sensitive=0)
AND (decode_url=0)
AND (request_only<>0) ) OR ( ('https://networkdoc.ru/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP url)>0
AND (case_sensitive=0)
AND (decode_url<>0)
AND (request_only=0) ) OR ( ('https://networkdoc.ru/easyblog/entry/xss-uyazvimost-paypal-com?print=1&tmpl=component' REGEXP url)>0
AND (case_sensitive=0)
AND (decode_url=0)
AND (request_only=0) ) )
AND published=1
ORDER BY ordering
38 Query Types Logged, Sorted by Occurrences.
SELECT Tables:
25 × SELECT id
FROM j25_assets3 × SELECT *
FROM j25_easyblog_category3 × SELECT *
FROM j25_easyblog_post3 × SELECT COUNT(1)
FROM `j25_easyblog_category`2 × SELECT a.`id`
FROM j25_easyblog_post as a2 × SELECT *
FROM j25_easyblog_configs1 × SELECT *
FROM j25_easyblog_users1 × SELECT a.`id`, a.`title`, a.`alias`
FROM `j25_easyblog_tag` AS a
LEFT JOIN `j25_easyblog_post_tag` AS b
ON a.`id` = b.`tag_id`1 × SELECT *
FROM `j25_users`1 × SELECT *
FROM j25_easyblog_tag1 × SELECT *
FROM j25_tagmeta_rules1 × SELECT COUNT(1)
FROM `j25_easyblog_tag`1 × SELECT COUNT(1)
FROM `j25_easyblog_featured`1 × SELECT `title`
FROM `j25_easyblog_category`1 × SELECT `g`.`id`,`g`.`title`
FROM `j25_usergroups` AS g
INNER JOIN `j25_user_usergroup_map` AS m
ON m.group_id = g.id1 × SELECT id, keywords, description, indexing
FROM `j25_easyblog_meta`1 × SELECT b.rules
FROM j25_assets AS a
LEFT JOIN j25_assets AS b
ON b.lft <= a.lft
AND b.rgt >= a.rgt1 × SELECT *
FROM `j25_easyblog_post`1 × SELECT `id`
FROM `j25_easyblog_mailq`1 × SELECT b.id
FROM j25_usergroups AS a
LEFT JOIN j25_usergroups AS b
ON b.lft <= a.lft
AND b.rgt >= a.rgt1 × SELECT COUNT(*)
FROM `j25_easyblog_configs`1 × SELECT m.id, m.menutype, m.title, m.alias, m.note, m.path AS route, m.link, m.type, m.level, m.language,m.browserNav, m.access, m.params, m.home, m.img, m.template_style_id, m.component_id, m.parent_id,e.element as component
FROM j25_menu AS m
LEFT JOIN j25_extensions AS e
ON m.component_id = e.extension_id1 × SELECT *
FROM `j25_easyblog_acl_group`1 × SELECT *
FROM `j25_easyblog_acl`1 × SELECT *
FROM j25_komento_configs
OTHER Tables:
1 × UPDATE j25_easyblog_post
SET `hits` = (`hits` + 1)1 × INSERT INTO `j25_discuss_users_history` (`user_id`,`title`,`command`,`created`,`content_id`)
VALUES ('0','Viewed blog post, XSS уязвимость paypal.com.','easyblog.view.blog','2025-05-15 07:25:52','0'1 × SHOW FULL COLUMNS
FROM `j25_komento_configs1 × SHOW FULL COLUMNS
FROM `j25_users1 × SHOW FULL COLUMNS
FROM `j25_easyblog_tag1 × SHOW FULL COLUMNS
FROM `j25_discuss_users_history1 × SHOW FULL COLUMNS
FROM `j25_easyblog_category1 × DELETE
FROM `j25_easyblog_mailq`1 × SHOW FULL COLUMNS
FROM `j25_easyblog_post1 × UPDATE `j25_easyblog_post`
SET `published` = '0'1 × SHOW FULL COLUMNS
FROM `j25_assets1 × SHOW FULL COLUMNS
FROM `j25_easyblog_users1 × SHOW FULL COLUMNS
FROM `j25_easyblog_configs