Home / exploitsPDF  

eBay.com ocsnext CSS Injection

Posted on 23 December 2014

###################################################################### # Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection # Date: 20/12/2014 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.ebay.com # Version: / # Category: Reflected CSS injection # Google dork: # Tested on: eBay.com ocsnext sub-domain ###################################################################### Adobe description : ====================================================================== eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. Vulnerability description : ====================================================================== A CSS injection is available in the ocsnext.ebay.com sub-domain. Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to redirect victims to fake eBay portals, or capture eBay's users credentials such cookies. This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page. Proof of Concept 1 : ====================================================================== A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain. Test with FireFox 30.0 and Chrome 36.0.1985.125. Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated. The injection is used to define arbitrary attributes on an input tag type "hidden": <input type="hidden" name="query" value="[INJECTION]" /> It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions (-moz-binding, expression(), background-image: url(javascript:) ) ... Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used. PoC: http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error Screenshots : ====================================================================== - http://www.asafety.fr/data/20140721-ebay_css_injection_01.png Solution: ====================================================================== Fixed by eBay / PayPal / Magento security team. Additional resources : ====================================================================== - http://www.ebay.com/ - http://ebay.com/securitycenter/ResearchersAcknowledgement.html - http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/ - http://www.synetis.com/2014/08/22/contribution-securite-debay/ Report timeline : ====================================================================== 2014-07-21 : eBay Team alerted with details and PoC. 2014-07-21 : eBay response and ack. 2014-07-21 : eBay validate the issue and awaiting fix. 2014-08-21 : eBay fixed the issue and acknowledgement 2014-08-22 : Public article on SYNETIS website. 2014-12-20 : Public article and PoC on ASafety website 2014-12-20 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr

 

TOP