Active Members akkiliON Posted December 13, 2013 Active Members Report Posted December 13, 2013 (edited) A German Security researcher has demonstrated a critical vulnerability on Ebay website, world's biggest eStore.According to David Vieira-Kurz discovered Remote code execution flaw "due to a type-cast issue in combination with complex curly syntax", that allows an attacker to execute arbitrary code on the eBay's web server.In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the web page, just by modifying the URL and injecting code in that.According to an explanation on his blog, he noticed a legitimate URL on eBay:https://sea.ebay.com/search/?q=david&catidd=1..and modified the URL to pass any array values including a payload:https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${[COLOR="#FF0000"]phpinfo()[/COLOR]}}&catidd=1Video Demonstration: But it is not clear at this moment that where the flaw resides on Ebay server, because how a static GET parameter can be converted to accept like an array values ?According to me, it is possible only if the 'search' page is receiving "q" parameter value using some LOOP function like "foreach()". Most probably code at the server end should be something like:foreach($_GET['q'] as $data){If $data is successfully able to bypass some input filter functions {eval("execute thing here with $data"); }}David has already reported the flaw responsibly to the Ebay Security Team and they have patched it early this week. Edited December 13, 2013 by akkiliON 1 Quote
malsploit Posted December 13, 2013 Report Posted December 13, 2013 Acume ceva timp aveau si un sqli acolo. Quote
Active Members akkiliON Posted December 13, 2013 Author Active Members Report Posted December 13, 2013 Acume ceva timp aveau si un sqli acolo.Hehe, ?i eu ?tiam de un Blind MySQL + XSS Flash într-un subdomeniu. SQLi a fost reparat repede din câte ?tiu. Dar de XSS, nu mai ?in minte. Quote
