RCE, Information Disclosure and XSS Flaws Found in PayPal

A security expert has managed to identify three vulnerabilities on paypal-marketing.com, the website used by the payment processor for the PayPal Partner Program.

Behrouz Sadeghipour has found and reported a cross-site scripting (XSS) issue, a remote code execution flaw and an information disclosure vulnerability.

Initially, the researcher found the XSS flaw, which he reported to PayPal’s security team on March 19. The XSS was addressed on April 9.

One day after the XSS was fixed, Sadeghipour identified an information disclosure issue, which he later leveraged for remote code execution. The expert said he was looking for an SQL Injection bug, but he found an RCE instead.

To demonstrate the existence of the RCE to PayPal, he sent the company’s security team three links showing that he could retrieve the Process ID (PID), the script owner’s Group ID (GID) and the script owner’s User ID (UID) by replacing a parameter in the request with PHP commands.

By April 11, PayPal had addressed the vulnerability. The company has promised to reward the researcher in the next payment cycle.

Sadeghipour highlights that the RCE he has found is a remote code execution, not a remote command execution bug. This vulnerability allows an attacker to run PHP functions. The flaw produces the same sort of results, but by leveraging PHP.

Check out the proof-of-concept video for the PayPal Partner Program vulnerabilities. Additional technical details are available on Behrouz Sadeghipour's blog.

Source: Softpedia

Post a Comment Blogger

  1. Doesn't work on centos 6.4 x86_64

    /usr/sbin/airmon-ng: line 338: /sys/class/ieee80211/phy0/add_iface: No such file or directory

  2. im a security auditer at the same place as him and at that almost exact time i had found a flaw in there games.yahoo.net server and gained access to there games admin portal via jboss and could inturn control all that side i also turned mine in for bounty. Trig

  3. This comment has been removed by a blog administrator.

  4. Hi, I followed your guide and was able to successfully install aircrack but whenever, I try to start up airmon-ng, i get "line 338: /sys/class/ieee80211/phy0/add_iface: No such file or directory." I've tried googling this and trying the various fixes I found through it but none of them are helping. I thought maybe the NIC was bad but I was able to use it successfully when I booted the laptop in Kali.