Backdoor shell in eBay

[Usr6]

Jordan Jones(@CEHSecurity), a Security researcher, claims to have discovered a critical security vulnerability in the eBay website for employees that allowed him to upload a backdoor shell.

Jordan said in his tweet that he notified about the vulnerability to eBay. A screenshot published in his twitter account shows that he is able to upload a 'shell.php' file in the following location:

"https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php"

At the time of writing, the file is still there. The last modified date of the file is December 2012. It is quite possible to modify the TimeStamp. So, we are not sure from when the file is there.

Trying to access the shell ends up in blank page. It means either the researcher have modified the shell to run only when a particular input is passed or it is not a shell.

Jordan have also discovered a cross site scripting vulnerability in the eBay Research Labs page(labs.ebay.com).

Sursa: Researcher finds vulnerability in eBay and claims he uploaded a shell - E Hacker News

[neox]

Dupa razboi multi viteji apar si zic ca au facut si au dres, aia care au spart Ebay si au furat 145 milioane date personale pe aia ii cred dar nu cred pagina ca ehackingnews.com (indian mincinos).

[Gushterul]

https://dsl.ebay.com/wp-includes/Text/Diff/Engine/

[sleed]

Ori e HumanStupidy ori au lasat intentionat full path si altele deschise pe acolo. Cat de mare ar fi Ebay, totusi nu plateste o suma pentru a proteja infrastructura?

[malsploit]

Ori e HumanStupidy ori au lasat intentionat full path si altele deschise pe acolo. Cat de mare ar fi Ebay, totusi nu plateste o suma pentru a proteja infrastructura?

Sunt chestii pe care le fac, testeaza si le uita pe acolo. Eu am gasit treaba asta intr-un subdomeniu de la paypal. L-am raportat si au zis ca nu reprezinta nici un pericol pentru utilizatori si dupa 2 zile l-au sters: