exploit the possibilities

eBay.com ocsnext CSS Injection

eBay.com ocsnext CSS Injection
Posted Dec 22, 2014
Authored by Yann CAM

The eBay.com ocsnext sub-domain suffers from a CSS injection vulnerability.

tags | exploit
MD5 | f526a7eaacbc6cd49a39f042535b3b8b

eBay.com ocsnext CSS Injection

Change Mirror Download
######################################################################
# Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection
# Date: 20/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ebay.com
# Version: /
# Category: Reflected CSS injection
# Google dork:
# Tested on: eBay.com ocsnext sub-domain
######################################################################

Adobe description :
======================================================================

eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet.
It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble;
it is a multi-billion dollar business with operations localized in over thirty countries.

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide.


Vulnerability description :
======================================================================
A CSS injection is available in the ocsnext.ebay.com sub-domain.
Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to
redirect victims to fake eBay portals, or capture eBay's users credentials such cookies.
This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page.


Proof of Concept 1 :
======================================================================

A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain.
Test with FireFox 30.0 and Chrome 36.0.1985.125.

Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated.

The injection is used to define arbitrary attributes on an input tag type "hidden":
<input type="hidden" name="query" value="[INJECTION]" />

It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions
(-moz-binding, expression(), background-image: url(javascript:) ) ...

Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used.

PoC:
http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error


Screenshots :
======================================================================

- http://www.asafety.fr/data/20140721-ebay_css_injection_01.png


Solution:
======================================================================

Fixed by eBay / PayPal / Magento security team.


Additional resources :
======================================================================

- http://www.ebay.com/
- http://ebay.com/securitycenter/ResearchersAcknowledgement.html
- http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/
- http://www.synetis.com/2014/08/22/contribution-securite-debay/


Report timeline :
======================================================================

2014-07-21 : eBay Team alerted with details and PoC.
2014-07-21 : eBay response and ack.
2014-07-21 : eBay validate the issue and awaiting fix.
2014-08-21 : eBay fixed the issue and acknowledgement
2014-08-22 : Public article on SYNETIS website.
2014-12-20 : Public article and PoC on ASafety website
2014-12-20 : Public advisory


Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close