Document
Title:
+++++++++++++++++++++++++++++++++++++++++
PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability
References (Source):
+++++++++++++++++++++++++++++++++++++++++
http://www.vulnerability-lab.com/get_content.php?id=801
PayPal Security UID: kxy1ea5ech
Release Date:
+++++++++++++++++++++++++++++++++++++++++
2013-11-18
Vulnerability Laboratory ID (VL-ID):
+++++++++++++++++++++++++++++++++++++++++
801
Common Vulnerability Scoring System:
+++++++++++++++++++++++++++++++++++++++++
3.5
Product & Service Introduction:
+++++++++++++++++++++++++++++++++++++++++
As a specialized factoring company for processing purchase invoice payments on
the Internet Billsafe GmbH in 2008
founded
by the former shareholders of AG mediafinanz . The management of Billsafe GmbH
consists exclusively of risk management experts
with
years of experience in the care of reputable online stores and mail order
companies .
2009
the start of the regular services with the connection of the first 100 online
shops. 2010, involved the eBay subsidiary PayPal
through
a strategic partnership at the Bill safe GmbH 2011, a new company location on
the eBay campus in Berlin Drei Linden
opened
in order to intensify the close operational cooperation with PayPal on. Since
December 2011, the Bill safe GmbH is a 100% advance
Company
and part of the eBay group of companies. The products offered by Bill Safe
combine the experience from the settlement of several hundred
Million
e- commerce transactions via PayPal with the expertise in the processing of
millions of debt collection by the mediafinanz AG.
(Copy of the Vendor Homepage: http://www.billsafe.de/company/about )
Abstract Advisory Information:
+++++++++++++++++++++++++++++++++++++++++
The Vulnerability Laboratory Research Team discovered a POST inject web
vulnerability in the official Paypal Inc
Billsafe online payment service web-application.
Vulnerability Disclosure Timeline:
+++++++++++++++++++++++++++++++++++++++++
2012-12-27: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-28: Vendor Notification (PayPal Site Security Team - Bug Bounty
Program)
2013-01-04: Vendor Response/Feedback (PayPal Site Security Team - Bug Bounty
Program)
2013-11-15: Vendor Fix/Patch (PayPal Developer Team - Bug Bounty Reward)
2013-11-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
+++++++++++++++++++++++++++++++++++++++++
Published
Affected Product(s):
+++++++++++++++++++++++++++++++++++++++++
PayPal Inc
Product: BillSafe - Online Payment Service 2012 Q4
Exploitation Technique:
+++++++++++++++++++++++++++++++++++++++++
Remote
Severity Level:
+++++++++++++++++++++++++++++++++++++++++
Medium
Technical Details & Description:
+++++++++++++++++++++++++++++++++++++++++
A remote POST inject web vulnerability has been discovered in the official
Paypal Inc Billsafe online payment service
web-application.
The issue allows remote attackers to inject via POST method request own
malicious persistent script codes to compromise
the application.
The vulnerability is located in the integration center module. Remote attackers
can manipulate the POST method request
of the
vulnerable `Register to download formular`. The vulnerable application values
are company (firma), `firstname (vorname),
`lastname (nachname)` and `shop-url`. The server accepts the manipulated POST
context and saves all details as html in
the
application dbms for future usage. The security risk of the POST inject web
vulnerability with persistent attack vector
is
estimated medium with a cvss (common vulnerability scoring system) count of
3.5(+).
The input does not validate the saved context and the input fields are not
restricted to prevent future executions.
Whenever an attacker is processing to include malicious context the request via
POST method will be accepted by the
server without secure encoding procedure.
Exploitation of the POST inject web vulnerability requires no privileged web
application user account and low or medium
user interaction.
Successful exploitation of the client-side cross site scripting web
vulnerabilities results in session hijacking,
client-side phishing,
client-side unauthorized/open (external) redirects and client-side manipulation
of the exception module context.
Vulnerable Service(s):
[+] Paypal - BillSafe
Vulnerable Section(s):
[+] Integration Center (Integrations Center)
Vulnerable Module(s):
[+] Register to download Formular (Registration zum Formular download)
Vulnerable Parameter(s):
[+] Firma (company)
[+] Vorname (firstname)
[+] Nachname (lastname)
[+] Shop-URL
Proof of Concept (PoC):
+++++++++++++++++++++++++++++++++++++++++
The post inject web vulnerability can be exploited by remote attackers without
privileged application user account and
with low or medium
user interaction. For security demonstration or to reproduce the vulnerability
follow the information below ...
--- PoC Session Request Logs [POST] ---
Host=www.billsafe.de
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101
Firefox/17.0
Accept=text/html, */*; q=0.01
Accept-Language=de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
DNT=1
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With=XMLHttpRequest
Referer=http://www.billsafe.de/integration-center/shop-systems
Content-Length=427
Cookie=__utma=22145316.759281629.1356643963.1356643963.1356643963.1;
__utmb=22145316.25.9.1356643975887;
__utmc=22145316;
__utmz=22145316.1356643963.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=billsafe%20paypal;
PHPSESSID=2qhldnsb86c71flbko91cofc85
Pragma=no-cache
Cache-Control=no-cache
POSTDATA=
company=%3E%22+'[INJECTED SCRIPT CODE!])+%3C&firstname=%3E%22+'[INJECTED
SCRIPT
CODE!])+%3C&lastname=%3E%22+'[INJECTED SCRIPT CODE!])
+%3C&email=admin%40vulnerability-lab.com&shopUrl=http%3A%2F%2Fwww.%3E%22+'[INJECTED
SCRIPT CODE!])+%3C.de
+&terms=1&version=1337(6)&system=4&validate=true&format=html
--- Response Header [200] ---
Status=OK - 200
Date=Thu, 27 Dec 2012 21:47:11 GMT
Server=Apache
Cache-Control=max-age=2592000
Expires=Sat, 26 Jan 2013 21:47:11 GMT
Vary=Accept-Encoding
Content-Encoding=gzip
Content-Length=511
Keep-Alive=timeout=15, max=68
Connection=Keep-Alive
Content-Type=text/html
Reference(s):
http://www.billsafe.de/integration-center/shop-systems > [Download]
http://www.billsafe.de/integration-center/api-sdk > [Download]
Solution - Fix & Patch:
+++++++++++++++++++++++++++++++++++++++++
The vulnerability can be patched by a secure parse of the vulnerable values in
the POST method request.
Also encode and parse the output of the vulnerable values even if the input has
already been encoded and restricted.
Security Risk:
+++++++++++++++++++++++++++++++++++++++++
The security risk of the POST inject web vulnerability in the register to
download formular module is estimated as
medium.
Credits & Authors:
+++++++++++++++++++++++++++++++++++++++++
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
+++++++++++++++++++++++++++++++++++++++++
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all
warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of
business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such
damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing
limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into
databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com -
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com -
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code,
videos and
other information on this website is trademark of vulnerability-lab team &
the specific authors or managers. To
record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or
research@vulnerability-lab.com) to get a
permission.
