Home page logo
/

bugtraq logo Bugtraq mailing list archives

PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Tue, 19 Nov 2013 04:21:41 +0100

Document Title:
===============
PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=801

PayPal Security UID: kxy1ea5ech


Release Date:
=============
2013-11-18


Vulnerability Laboratory ID (VL-ID):
====================================
801


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Als spezialisierte Factoringgesellschaft für die Abwicklung von Rechnungskauf-Zahlungen im Internet wurde die BillSAFE 
GmbH 2008 
durch die Altgesellschafter der mediafinanz AG gegründet. Das Management der BillSAFE GmbH besteht ausnahmslos aus 
Risikomanagement-Experten 
mit jahrelanger Erfahrung aus der Betreuung von namhaften Online-Shops und Versandhandelsunternehmen. 

2009 erfolgte die reguläre Inbetriebnahme des Services mit der Anbindung der ersten 100 Online-Shops. 2010 beteiligte 
sich die eBay Tochter PayPal 
im Rahmen einer strategischen Partnerschaft an der BillSAFE GmbH. 2011 wurde ein neuer Unternehmensstandort auf dem 
eBay Campus in Berlin Dreilinden 
eröffnet, um die enge operative Zusammenarbeit mit PayPal weiter zu intensivieren. Seit Dezember 2011 ist die BillSAFE 
GmbH ein 100%iges PayPal 
Unternehmen und Teil der eBay Firmengruppe. Die von BillSAFE angebotenen Produkte bündeln die Erfahrung aus der 
Abwicklung von mehreren hundert 
Millionen E-Commerce Transaktionen durch PayPal mit der Expertise in der Bearbeitung von mehreren Millionen 
Inkassofällen durch die mediafinanz AG.

(Copy of the Vendor Homepage: http://www.billsafe.de/company/about )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a POST inject web vulnerability  in the official Paypal Inc 
Billsafe online payment service web-application.


Vulnerability Disclosure Timeline:
==================================
2012-12-27:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-28:     Vendor Notification (PayPal Site Security Team - Bug Bounty Program)
2013-01-04:     Vendor Response/Feedback (PayPal Site Security Team - Bug Bounty Program)
2013-11-15:     Vendor Fix/Patch (PayPal Developer Team - Bug Bounty Reward)
2013-11-16:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: BillSafe - Online Payment Service 2012 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A remote POST inject web vulnerability has been discovered in the official Paypal Inc Billsafe online payment service 
web-application.
The issue allows remote attackers to inject via POST method request own malicious persistent script codes to compromise 
the application.

The vulnerability is located in the integration center module. Remote attackers can manipulate the POST method request 
of the 
vulnerable `Register to download formular`. The vulnerable application values are company (firma), `firstname 
(vorname), 
`lastname (nachname)` and `shop-url`. The server accepts the manipulated POST context and saves all details as html in 
the 
application dbms for future usage. The security risk of the POST inject web vulnerability with persistent attack vector 
is 
estimated medium with a cvss (common vulnerability scoring system) count of 3.5(+). 

The input does not validate the saved context and the input fields are not restricted to prevent future executions. 
Whenever an attacker is processing to include malicious context the request via POST method will be accepted by the 
server without secure encoding procedure.

Exploitation of the POST inject web vulnerability requires no privileged web application user account and low or medium 
user interaction. 
Successful exploitation of the client-side cross site scripting web vulnerabilities results in session hijacking, 
client-side phishing, 
client-side unauthorized/open (external) redirects and client-side manipulation of the exception module context.

Vulnerable Service(s):
                                [+] Paypal - BillSafe

Vulnerable Section(s):
                                [+] Integration Center (Integrations Center)

Vulnerable Module(s):
                                [+] Register to download Formular (Registration zum Formular download)

Vulnerable Parameter(s):
                                [+] Firma (company)
                                [+] Vorname (firstname)
                                [+] Nachname (lastname)
                                [+] Shop-URL 


Proof of Concept (PoC):
=======================
The post inject web vulnerability can be exploited by remote attackers without privileged application user account and 
with low or medium 
user interaction. For security demonstration or to reproduce the vulnerability follow the information below ...

--- PoC Session Request Logs [POST] ---

Host=www.billsafe.de
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept=text/html, */*; q=0.01
Accept-Language=de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
DNT=1
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With=XMLHttpRequest
Referer=http://www.billsafe.de/integration-center/shop-systems
Content-Length=427
Cookie=__utma=22145316.759281629.1356643963.1356643963.1356643963.1; 
__utmb=22145316.25.9.1356643975887; 
__utmc=22145316; 
__utmz=22145316.1356643963.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=billsafe%20paypal; 
PHPSESSID=2qhldnsb86c71flbko91cofc85
Pragma=no-cache
Cache-Control=no-cache

POSTDATA=
company=%3E%22+'[INJECTED SCRIPT CODE!])+%3C&firstname=%3E%22+'[INJECTED SCRIPT CODE!])+%3C&lastname=%3E%22+'[INJECTED 
SCRIPT CODE!])
+%3C&email=admin%40vulnerability-lab.com&shopUrl=http%3A%2F%2Fwww.%3E%22+'[INJECTED SCRIPT CODE!])+%3C.de
+&terms=1&version=1337(6)&system=4&validate=true&format=html


--- Response Header [200] ---
Status=OK - 200
Date=Thu, 27 Dec 2012 21:47:11 GMT
Server=Apache
Cache-Control=max-age=2592000
Expires=Sat, 26 Jan 2013 21:47:11 GMT
Vary=Accept-Encoding
Content-Encoding=gzip
Content-Length=511
Keep-Alive=timeout=15, max=68
Connection=Keep-Alive
Content-Type=text/html


Reference(s):
http://www.billsafe.de/integration-center/shop-systems > [Download]
http://www.billsafe.de/integration-center/api-sdk > [Download]


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the vulnerable values in the POST method request.
Also encode and parse the output of the vulnerable values even if the input has already been encoded and restricted.


Security Risk:
==============
The security risk of the POST inject web vulnerability in the register to download formular module is estimated as 
medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com) 
[www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2013 | Vulnerability Laboratory [Evolution Security]

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com



  By Date           By Thread  

Current thread:
  • PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability Vulnerability Lab (Nov 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]