A security expert has managed to identify three vulnerabilities on paypal-marketing.com, the website used by the payment processor for the PayPal Partner Program.
Behrouz Sadeghipour has found and reported a cross-site scripting (XSS) issue, a remote code execution flaw and an information disclosure vulnerability.
Initially, the researcher found the XSS flaw, which he reported to PayPal’s security team on March 19. The XSS was addressed on April 9.
One day after the XSS was fixed, Sadeghipour identified an information disclosure issue, which he later leveraged for remote code execution. The expert said he was looking for an SQL Injection bug, but he found an RCE instead.
To demonstrate the existence of the RCE to PayPal, he sent the company’s security team three links showing that he could retrieve the Process ID (PID), the script owner’s Group ID (GID) and the script owner’s User ID (UID) by replacing a parameter in the request with PHP commands.
By April 11, PayPal had addressed the vulnerability. The company has promised to reward the researcher in the next payment cycle.
Sadeghipour highlights that the RCE he has found is a remote code execution, not a remote command execution bug. This vulnerability allows an attacker to run PHP functions. The flaw produces the same sort of results, but by leveraging PHP.
Check out the proof-of-concept video for the PayPal Partner Program vulnerabilities. Additional technical details are available on Behrouz Sadeghipour's blog.