PayPal Bug Bounty #65 CN - Redirect Web Vulnerability

Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - 中国隐形步行者 - 中国精英 (CNNVD) < = >[]
Modified 2013-11-16T00:00:00


A low severity and client-side redirect web vulnerability is detected in the official chinese (CN) PayPal Inc web application service. The vulnerability allows remote attackers to form malicious links as client-side GET method requests to manipulate a return link.

The vulnerability is located in the login (php) module of the GET method request to the return link go parameter. Remote Attackers can manipulate the client-side GET method request to redirect the victim via mouse-over to an external malicious source/website. The issue is only visible by using the mouse-over a link to open to run the client-side script code. A direct inject via document.cookie in the go parameter by not using the echo link is not possible. The security risk of the non-persistent web vulnerability in the ref go value is estimated as medium with a cvss (common vulnerability scoring system) count of 1.5(+).

The vulnerability can be exploited by remote attackers without privileged application user account and with medium required user interaction. Successful exploitation results in client side cross site scripting, client-side session hijacking, client side phishing or malicious redirects to external targets/sources.

Vulnerable Module(s): [+] Login (login.php)

Vulnerable Module(s): [+] ?go

Affected Module(s): [+] PayPal ReturnTo Button and Login Link