{"id": "VULNERLAB:704", "vendorId": null, "type": "vulnerlab", "bulletinFamily": "exploit", "title": "Paypal Bug Bounty #27 - Community Web Vulnerability", "description": "", "published": "2012-11-23T00:00:00", "modified": "2012-11-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.vulnerability-lab.com/get_content.php?id=704", "reporter": "Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2019-07-10T14:58:34", "viewCount": 7, "enchantments": {"dependencies": {}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:07A8466539FBE60F0745BA8985EE73D1", "THREATPOST:87674040C7E713171787C372FB0D24DB", "THREATPOST:A5DA2027FC2C5FE68AC50C92BE182FB8", "THREATPOST:E6F05C49DD277EEC47DDEFB35F8D2818"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceData": "Document Title:\r\n===============\r\nPaypal Bug Bounty #27 - Community Web Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=704\r\n\r\n\r\nRelease Date:\r\n=============\r\n2012-11-23\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n704\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n2.1\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nPayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money \r\ntransfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, \r\na PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some \r\ntime in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined \r\nspending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified \r\nfunding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy \r\n(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your \r\nPayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a \r\nPayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary \r\nfunding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.\r\nThe recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request \r\na transfer to their bank account.\r\n\r\nPayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it \r\ncharges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency \r\nused, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account \r\ntype. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.\r\n\r\nOn October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United \r\nStates at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, \r\nArizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across \r\nEurope, PayPal also operates as a Luxembourg-based bank.\r\n\r\nOn March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers \r\nto use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.\r\nBetween December 4\u00f19, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation \r\nfor PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.\r\n\r\n(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory Research Team discovered a a client side Web Vulnerability and a stable error in the official Paypal Community Forum Portal.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2012-09-17:\tResearcher Notification & Coordination\r\n2012-09-18:\tVendor Notification\r\n2012-10-19:\tVendor Response/Feedback\r\n2012-10-29:\tVendor Fix/Patch\r\n2012-11-26:\tPublic or Non-Public Disclosure\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nLow\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA client side input validation vulnerability and a stable persistent error are detected in the official PayPal Community website.\r\nThe vulnerability is located in the add tags function and the bound replace module.attackers can produce posts with permanent \r\nerrors bye replacing a standard value string with > `` < ../ and a string code or path to an existing url. Normally it should not be \r\npossible to inject script code as foldername and replace it with more script code to crash with an unhandled exception. Attackers \r\ncan inject on client side when the exception-handling is bypassed via another validation vulnerability.\r\n\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t[+] add tags\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t\t[+] rc\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerability can be exploited by remote attackers with medium or high required user inter action.\r\nFor demonstration or reproduce ...\r\n\r\n\r\nPOC:\r\nhttps://www.paypal-community.com/t5/forums/tagreplacepage/message-scope/core-node/board-id/US-Hot-Topics/user-scope/single/\r\nuser-id/4716070/tag-scope/single/tag-id/rc=a%20onload=alert%28%22VL%22%29%20%3C%20%22%3E%3Ciframe%20src=a\r\n%20onload=alert%28%22VL%22%29%20%3Cc%20%22%3E%3C\r\niframe%20src=a%20onload=alert%28%22VL%22%29%20%3C%20%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL\r\n%22%29%20%3C/timerange/all/tag-visibility-scope/public\r\n\r\n--- Error Logs ---\r\nAn Unexpected Error has occurred.\r\n Sorry, your request failed. A notification has been sent to the development team for investigation.\r\n Exception ID: 724C64A6\r\n Please click the Back button on your browser.\r\n\r\nReturn to my original page\r\n\r\nID: \t\t724C64A6\r\nSession Time: \t15:30 - 15:51\r\n\r\nReference(s):\r\n ../US-Hot-Topics.htm\r\n ../public.html\r\n ../all.htm\r\n ../424675.htm\r\n\r\n\r\nNote:\r\nThe bug exists but the exception-handling prevents the client side execution with a unhandled error and opened \r\nautomatically a ticket for the dev team. It is very dangerous to allow special chars like > \" < / ' - in the url \r\nitself because it results in multiple different errors after a while like you can see on the not sanitized calculated output.\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability and stable error can be patched by parsing the rc parameter request.\r\nIt also required to restrict the add tag function with a character mask, own exception-handling or filter.\r\nThe result is the url with not anymore stable contain manipulate script code which results in permanent errors or client side script code attacks.\r\n\r\n2012-10-29:\tVendor Fix/Patch\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the non persistent input validation web vulnerability is estimated as low(+)|(-)medium.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-\r\nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \r\nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \r\nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \r\nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \r\nor trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t - www.vulnerability-lab.com/register\r\nContact: admin@vulnerability-lab.com \t- support@vulnerability-lab.com \t - research@vulnerability-lab.com\r\nSection: video.vulnerability-lab.com \t- forum.vulnerability-lab.com \t\t - news.vulnerability-lab.com\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t - youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and \r\nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \r\nmodify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.\r\n\r\n \t\t\t\t \tCopyright \u00a9 2012 | Vulnerability Laboratory\r\n\r\n\r\n\r\n", "category": "", "_state": {"dependencies": 1645596366, "score": 1659788215, "epss": 1678853679}}
Paypal Bug Bounty #27 - Community Web Vulnerability