eBay has fixed a pair of security vulnerabilities in its site that could enable attackers to upload executable files disguised as benign file types, construct full path URLs and then point victims to them through drive-by download attacks.
The first bug resulted from the failure of an eBay page to check the headers of image files uploaded by users. An attacker could take advantage of this to upload a malicious file disguised as an image, which the server then will accept and store.
“The eBay server fails to implement secure header checks on the image files being uploaded on the server. It basically verifies the image extensions. As a result, it is possible to upload a camouflaged malicious file (EXE,PDF,etc.) with image file extension,” Aditya Sood, one of the researchers who discovered the vulnerabilities, said in an email.
If an attacker was able to upload a file of his choice, he could embed malware of his choosing in the file. But the second vulnerability could make a potential attack more serious. That bug resulted from the fact that when a user uploaded a file successfully, eBay’s server would return a message with the exact file path.
“The attacker can upload malicious exe file camouflaged as image files and then use the URL in drive by download attacks,” Sood said.
“[Or], the attacker can also hide malicious executable in the image file which can be be executed on the end-user system when image file is opened.”
Sood, who discovered the bugs along with Rohit Bansal, reported the vulnerabilities to eBay, which confirmed on Monday that they had been addressed.