The Inj3ct0r team (http://1337day.com) has contacted us with another vulnerability found. They located and exploited a presistent XSS in the official site of Vulnerability-Lab a 1337day lookalike.
After the Vulnerability-Lab claimed they they found a persistent web vulnerability in the official Paypal (core) ecommerce website content management system.
The security flaw allows attackers to inject their own malicious code on the site and have it stick (persistent).
The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.
Inj3ct0r looks to be taking out the competition one by one.