exploit the possibilities

eBay.com ocsnext CSS Injection

eBay.com ocsnext CSS Injection
Posted Dec 22, 2014
Authored by Yann CAM

The eBay.com ocsnext sub-domain suffers from a CSS injection vulnerability.

tags | exploit
MD5 | f526a7eaacbc6cd49a39f042535b3b8b

eBay.com ocsnext CSS Injection

Change Mirror Download
######################################################################
# Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection
# Date: 20/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ebay.com
# Version: /
# Category: Reflected CSS injection
# Google dork:
# Tested on: eBay.com ocsnext sub-domain
######################################################################

Adobe description :
======================================================================

eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet.
It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble;
it is a multi-billion dollar business with operations localized in over thirty countries.

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide.


Vulnerability description :
======================================================================
A CSS injection is available in the ocsnext.ebay.com sub-domain.
Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to
redirect victims to fake eBay portals, or capture eBay's users credentials such cookies.
This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page.


Proof of Concept 1 :
======================================================================

A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain.
Test with FireFox 30.0 and Chrome 36.0.1985.125.

Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated.

The injection is used to define arbitrary attributes on an input tag type "hidden":
<input type="hidden" name="query" value="[INJECTION]" />

It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions
(-moz-binding, expression(), background-image: url(javascript:) ) ...

Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used.

PoC:
http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error


Screenshots :
======================================================================

- http://www.asafety.fr/data/20140721-ebay_css_injection_01.png


Solution:
======================================================================

Fixed by eBay / PayPal / Magento security team.


Additional resources :
======================================================================

- http://www.ebay.com/
- http://ebay.com/securitycenter/ResearchersAcknowledgement.html
- http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/
- http://www.synetis.com/2014/08/22/contribution-securite-debay/


Report timeline :
======================================================================

2014-07-21 : eBay Team alerted with details and PoC.
2014-07-21 : eBay response and ack.
2014-07-21 : eBay validate the issue and awaiting fix.
2014-08-21 : eBay fixed the issue and acknowledgement
2014-08-22 : Public article on SYNETIS website.
2014-12-20 : Public article and PoC on ASafety website
2014-12-20 : Public advisory


Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close