lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY21-F16B21421BEBA4FFE8199A698C90@phx.gbl> Date: Fri Jul 22 16:46:33 2005 From: sunos5.8 at hotmail.com (No Sue Please) Subject: User privilege escalation exploit. Vendor: CyberSource Version: Business Center, Essentials/Small Business, https://businesscenter.cybersource.com/ Severity: Vulnerability allows malicious employees or comprimised accounts to steal money. Vendor Status: Notified, expects to fix issue some time in 2006. Overview: Business Center is the web application used by merchants to authorize, capture, and refund Credit Card transactions. This application has the ability for merchants to define user accounts that are given limited privileges on what operations they can perform on a transaction. There does not appear to be validation on user-controlled input as found by the two ways to bypass user privilege restrictions. Unfortunately it was found that through simple URL manipulation it is possible to bypass these security restrictions to allow a user to create new transactions and search for and view previous transactions. The latter would allow an untrusted user to view customer information. Issuing new Credit transactions and capturing (moving customer money to merchant account) can be done by creating a local copy of web pages from the site and modifying the HTML <form> submission target and content. A user then simply has to login, access the locally modified page and submit the form which then blindly sends the transaction to the server. In theory then an unprivileged account would be able to generate a number of fraudulent transactions onto existing customers and then move money from the merchant's account after capture to their own credit card or an accomplice's. This includes forcing through transactions that do not have correct Card Verification Numbers. Details: Demo account is free to create and can be done at http://www.cybersource.com/bankofamerica/eval/. Test server is identical to Production with the exception that the Credit Card Authorizer and capturing does not contact the card owners banks for verification. After creating an account with only the AO privilege (allows user to create new Authorizations only) login under this account. Accessing Order Search or Reports The first level of *security* uses the security through obscurity method to prevent user from accessing the Order Search by preventing the URL information from being sent to the user. The menu on the interface does not have the button but fortunately the URL's use a standard naming convention in the JSP's. 1) Copy the URL from the Virtual Terminal button, this will be https://businesscentertest.cybersource.com/sbctest/landing/terminal.jsp 2) Paste URL into address bar and change terminal.jsp to search.jsp, or similarly to reports.jsp 3) The associated jsp is loaded and usable. Capturing and Crediting a transaction is not vulnerable to simply URL manipulation but are vulnerable to HTTP Post injections. When creating a new transaction it is possible to save the web page locally and then modify the source (sbc_index.jsp_files\home_data\VTSettingsLoad.htm) to prefix the form's target with https://businesscentertest.cybersource.com so that submission will be sent to the server instead of localhost. Adding the HTML option <option value="Credit">Credit</option> to the HTML <select name='transactionType'> allows a Credit transaction to be selectable for creation. Confirming the transaction causes this crafted POST form to be sent to the server and a confirmation of information is presented to the user to confirm the transaction. Recommendation: Do not use user accounts until next year when vendor has said the problem will be fixed. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Powered by blists - more mailing lists