eBay Patches Critical XSS, SQL Holes

ID THREATPOST:176EAA879454D9D55E40032C8E16CA7D
Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:31:12


Developers at the popular online auction site eBay recently patched two potentially critical vulnerabilities, a cross-site scripting bug and a SQL injection vulnerability.

The SQL injection flaw was discovered by David Vieira-Kurz, a web security engineer, earlier this month. Viera-Kurz divulged details of the vulnerability last weekend on his personal blog Major Security, discussing the vulnerable page and parameter.

If exploited, the hole in the page in question, <http://sea.ebay.com/news.php>, could’ve given attackers unauthorized read/write/edit access to a SQL database.
According to Vieira-Kurz’s blog post, eBay fixed the SQL injection vulnerability in about 20 days.

The XSS flaw meanwhile could have allowed a hacker access to a seller’s account and the ability to insert a XSS exploit into the code on a product’s page. That vulnerability was found earlier this month by Indian security researcher Shubham Upadhyay.

According to a post on xssed.com, a site that archives XSS vulnerabilities, it could have been executed in listings on Google Chrome and Mozilla Firefox and used to redirect unsuspecting buyers to other bogus sales. Attackers would simply have to create a seller account, log into the account, create a listing for a sale and then add specialized XSS code in the listing’s HTML code.

According to a statement from an eBay spokeswoman late last week, the company was “aware of this case and the issue has already been dealt with,” later adding that the site also has a tool that “scans for XSS vulnerabilities in user generated content.” Sellers who violate the company’s policy are suspended and then their items are removed from the electronic store, the statement claimed.