PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.
Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.
The XSS bug allows only the execution of client-side script and browser cookie hijacking, Mejri told Threatpost in an email. “Client-side forced requests are possible to external targets,” he said, adding this could lead to session hijacking and phishing attacks.
According to the advisory, the vulnerability was located in the add-tags function of the community forum page. Attackers could have replaced a standard value string with malicious code or a path to the attackers site.
“Normally it should not be possible to inject script code as foldername and replace it with more script code to crash with an unhandled exception,” the advisory said. “Attackers can inject on [the] client side when the exception-handling is bypassed via another validation vulnerability.”
An input validation vulnerability was also discovered on the egreetings Web service of PayPal’s Plaza Web-based application. Plaza is PayPal’s shopping application; an attacker would need to be logged in to be able to send a malicious greeting via PayPal’s outgoing mail server, Merij said. Malicious code could be injected into certain fields in the application and the victim could be subject to session hijacking or persistent Web-based attacks.
Finally, a vulnerability that could enable an attacker to redirect users of PayPal’s content management system–customer, pro or seller accounts—was patched. Attackers can use a client-side request to send users to an external website.
“An attacker can redirect the victim over the original PayPal domain to malware or phishing sites,” Mejri said. “The potential consequence is a stolen PayPal account or external malicious redirects. Mostly users do not watch where the redirection location is when the domain request was processed through the original PayPal community domain.”
PayPal began its bug-bounty program in June. PayPal’s security team rates the severity of submitted vulnerabilities and the company determines payouts. PayPal said only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws are in scope for its program. Researchers must also give PayPal reasonable time to address the flaws in question.
