PayPal Marketing Remote Code Execution, Information Disclosure and XSS

Hello everyone,

Today I will be writing about my experience with PayPal’s Bug Bounty Program and how I was able to discover a Remote Code Execution on one of their branded websites.

While audition PayPal-Marketing.comfor a few XSS vulnerabilities I came across a strange URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getPartnerBasic&list=34158729+24555431948+28165489

Which displayed the content of the 3 IDs provided in the link given. So I figured I may be able to execute SQL commands and hope for RCE. However that wasn’t the case. After a few tries I realized that my SQL Injection is irritating the getPartnerBasic function by producing errors disclosing the full path of the website and mentioning the getPartnerBasic() function.  So I decided to replace getPartnerBasic with phpinfo and see if that would do something (I doubt it!). However the following process resulted in:

and I immediately reported the vulnerability to PayPal and received the following email:

Hey, Were you actually able to run any other commands or just get the version and PHPinfo? Thanks, PayPal Security Team

To make sure this isn’t lowered from and RCE to a information disclosure I replied to the PayPal Security Team with the following links which provided them with more information other than phpinfo

PID
GID
UID

Paypal was extremely fast and patched the following vulnerability under 24 hours. Here’s the PoC Video:

 

Also, I would like to thank Stefano Vettorazzi for helping in the process of discovering this vulnerability.

Timeline:
04/10/2014 – Reported
04/11/2014 – Patched
04/14/2014 – Permission to disclose

Cross-Site Scripting:

I was also able to report an XSS in the search module of the PayPal-Marketing partner’s page by searching for a IMG tag injected with XSS.

Vulnerable URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/

 

 

Hall of fame:

Screenshot_4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This post has been viewed [post_view] times

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>