mailing list archives
User privilege escalation exploit.
From: sunos5.8 () hotmail com
Date: 22 Jul 2005 14:10:31 -0000
Version: Business Center, Essentials/Small
Severity: Vulnerability allows malicious employees or comprimised accounts to steal money.
Vendor Status: Notified, but expects to fix issue some time in 2006.
Overview: Business Center is the web application used by merchants to authorize, capture, and refund
Credit Card transactions. This application has the ability for merchants to define user accounts
that are given limited privileges on what operations they can perform on a transaction.
There does not appear to be validation on user-controlled input as found by the two ways to
bypass user privilege restrictions.
Unfortunately it was found that through simple URL manipulation it is possible to bypass these security
restrictions to allow a user to create new transactions and search for and view previous transactions.
The latter would allow an untrusted user to view customer information.
Issuing new Credit transactions and capturing (moving customer money to merchant account) can be done
by creating a local copy of web pages from the site and modifying the HTML <form> submission target and content. A
simply has to login, access the locally modified page and submit the form which then blindly sends the transaction to
In theory then an unprivileged account would be able to generate a number of fraudulent transactions onto existing
and then move money from the merchant's account after capture to their own credit card or an accomplice's. This
forcing through transactions that do not have correct Card Verification Numbers.
Demo account is free to create and can be done at http://www.cybersource.com/bankofamerica/eval/.
Test server is identical to Production with the exception that the Credit Card Authorizer and capturing does not contact
the card owners banks for verification.
After creating an account with only the AO privilege (allows user to create new Authorizations only) login under this
Accessing Order Search or Reports
The first level of *security* uses the security through obscurity method to prevent user from accessing the Order
Search by preventing
the URL information from being sent to the user. The menu on the interface does not have the button but fortunately
the URL's use
a standard naming convention in the JSP's.
1) Copy the URL from the Virtual Terminal button, this will be
2) Paste URL into address bar and change terminal.jsp to search.jsp, or similarly to reports.jsp
3) The associated jsp is loaded and usable.
Capturing and Crediting a transaction is not vulnerable to simply URL manipulation but are vulnerable to HTTP Post
When creating a new transaction it is possible to save the web page locally and then modify the source
(sbc_index.jsp_files\home_data\VTSettingsLoad.htm) to prefix the form's target with
https://businesscentertest.cybersource.com so that submission
will be sent to the server instead of localhost.
Adding the HTML option <option value="Credit">Credit</option> to the HTML <select name='transactionType'> allows a
to be selectable for creation.
Confirming the transaction causes this crafted POST form to be sent to the server and a confirmation of information is
presented to the user
to confirm the transaction.
Do not use user accounts until next year when vendor has said the problem will be fixed.
- User privilege escalation exploit. sunos5 . 8 (Jul 23)