Document Title: =============== Ebay Inc Magento ProStore CP #4 - Filter Validation Bypass & Persistent (Payment Information) Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1265 Ebay Inc ID: EIBBP-28091 Video: http://www.vulnerability-lab.com/get_content.php?id=1276 View: https://www.youtube.com/watch?v=v8_knMYRUOQ Release Date: ============= 2014-08-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1265 Common Vulnerability Scoring System: ==================================== 5.7 Product & Service Introduction: =============================== Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. To report security vulnerabilities in Magento software or web sites, use the eBay Inc. Bug Bounty tool. A list of sites eligible for bounties and the vulnerability classes that are in scope are detailed below. Prostores - (mystore.prostores.com, store0*.prostores.com) Researchers must register their own trial stores in order to perform testing on the ProStores platform. As long as each account is cancelled before 30 days, there will be no charge. NO testing of any kind may be performed by researchers against stores they did not register themselves, especially existing stores belonging to real merchants. Researchers are encouraged to name their stores in such a way that they`re easily identifiable as their own. Bugs will NOT be accepted in stores not owned by the researcher; such research may result in disqualification for future bounties. Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /Admin/) will NOT be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. Merchants may configure their stores to use their own domains if they are concerned about the risk of XSS attacks against their customers or store. The same bug WILL NOT be eligible for bounties on two or more subdomains. Such a bug will only be eligible for a single bounty payment. For example: store01.prostores.com, store02.prostores.com, and mystore.prostores.com are all considered the same domain running the same code for the purposes of the bounty program. (Copy of the Homepage: http://magento.com/security ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team has discovered a filter bypass & persistent vulnerability in the Ebay Inc Magento ProStore CP web-application and api. Vulnerability Disclosure Timeline: ================================== 2014-05-15: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-05-16: Vendor Notification (Ebay Inc Magento - Bug Bounty Program) 2014-06-27: Vendor Response/Feedback (Ebay Inc Magento - Bug Bounty Program) 2014-07-31: Vendor Fix/Patch (Magento Developer Team [Magento BB Announcement] - Updates 31th July) 2014-08-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Magento - ProStore Application & API 2014 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A filter bypass and persistent input validation web vulnerability has been discovered in the official Ebay ProStore CP Applicaiton (API). The filter issue allows remote attackers to use of special tricks to bypass the regular web formular validation of for example a payment. The persistent input validation vulnerability allows an attacker to inject own malicious script codes on the application-side of the service. The filter bypass issue is located in the regular registration formular of the ebay prostore application service. Remote attackers are able to bypass the user first- & lastname input fields restriction of the framework. Remote attackers are able to inject own payloads by holding `strg+v` (combo - copy-paste) to keep the payload inside of the input field. Next to holding the buttons the attacker clicks the send button. The filter protection of the application and api does not have a second proof of validation next to sending a registration formular with the trick and script code payloads in the last- & firstname values. After the first save of the input value and jump to the payment via paypal menu the attacker can save one string per request to the user credentials. By including in the first request procedure only one payload in for example the firstname value, the attacker can include via the same way also in the last-name after activating a paypal payment account. The persistent input validation vulnerability is located in the vulnerable cardholder value of the payment information and payment details module. The vulnerability can be exploited by remote attackers with low privileged application user accounts. The attacker vector is persistent and the execution of the injected payload occurs in the /cp/ payment and not the /admin/ on the applicat-side. To exploit the persistent vulnerability, its required to use the reported filter bypass ago. Note: We are not sure yet if the persistent issue also affects the manager/admin backend when reviewing the payment information of us. Should be checked by internal with feedback. All interaction with the compromised test payment information should be reviewed by different perspectives on interaction. Exploitation of the filter bypass issue requires no privileged application user account and no user interaction. Exploitation of the persistent input validation web vulnerability requires a low privileged application user account and low or medium user interaction. Successful exploitation of the filter issue leads to evasion of the regular scheme. Successful exploitation of the persistent input validation web vulnerability Request Method(s): [+] [POST] Vulnerable Module(s): [+] ../CP/ > Payment Information & payment Details (Card Details) Vulnerable File(s): [+] store_payment_info.php Vulnerable Parameter(s): [+] first- & lastname [+] Cardholder Name Affected Module(s): [+] https://mystore.prostores.com/CP/ Proof of Concept (PoC): ======================= The filter bypass issue can be exploited by remote attackers without user interaction or privileged appliation user account. The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue. Steps: 1. Register an account at prostore for testings and policy 2. On the registration you include in the lastname a payload and press strg+v, then you click the send button 3. You get redirected to include the payment information and link a paypal account 4. You get redirected again back to the registration step one with the linked account 5. You press strg+v and hold it for including in the firstname (only one input per loop), press next to it via mouse the send button and complete the procedure of registration 6. Login to the cp and visit the following payment information url Note: All interaction with the compromised payment information can have an affect to the moderator/administrator backend on review or interaction. 7. Successful reproduce of the filter bypass issue in the registration and persistent issue in the payment information! PoC: ProStores - Payment Information > Payment