######################################################################
# Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection
# Date: 20/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ebay.com
# Version: /
# Category: Reflected CSS injection
# Google dork:
# Tested on: eBay.com ocsnext sub-domain
######################################################################

Adobe description :
======================================================================
 
eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet. 
It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; 
it is a multi-billion dollar business with operations localized in over thirty countries.

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide.


Vulnerability description :
======================================================================
A CSS injection is available in the ocsnext.ebay.com sub-domain.
Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to 
redirect victims to fake eBay portals, or capture eBay's users credentials such cookies. 
This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page.


Proof of Concept 1 :
======================================================================
 
A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain.
Test with FireFox 30.0 and Chrome 36.0.1985.125.
 
Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated. 

The injection is used to define arbitrary attributes on an input tag type "hidden": 
<input type="hidden" name="query" value="[INJECTION]" /> 

It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions 
(-moz-binding, expression(), background-image: url(javascript:) ) ...

Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used.
 
PoC: 
http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error


Screenshots :
======================================================================

- http://www.asafety.fr/data/20140721-ebay_css_injection_01.png 


Solution:
======================================================================

Fixed by eBay / PayPal / Magento security team.
 
 
Additional resources :
======================================================================
 
- http://www.ebay.com/
- http://ebay.com/securitycenter/ResearchersAcknowledgement.html
- http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/
- http://www.synetis.com/2014/08/22/contribution-securite-debay/

 
Report timeline :
======================================================================
 
2014-07-21 : eBay Team alerted with details and PoC.
2014-07-21 : eBay response and ack.
2014-07-21 : eBay validate the issue and awaiting fix.
2014-08-21 : eBay fixed the issue and acknowledgement
2014-08-22 : Public article on SYNETIS website.
2014-12-20 : Public article and PoC on ASafety website
2014-12-20 : Public advisory


Credits :
======================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr