Pasar al contenido principal

2017-002: Paypal(dot)com self-XSS Vulnerability

2017-002: Paypal(dot)com self-XSS Vulnerability

Original release date: February 25, 2017
Last revised: February 27, 2017
Discovered by: Fabián Cuchietti
Severity: 2/5 (CVSSv3 Base Metrics)

BACKGROUND

PayPal Holdings, Inc. is an American company operating a worldwide online payments system that supports online money transfers and serves as an electronic alternative to traditional paper methods like checks and money orders.

DESCRIPTION

Paypal (dot) com is affected by self Cross-Site Scripting vulnerability in the "Reminder Note". The vulnerable resource does not properly check the type of the parameters passed to the application through POST requests. It allows malicious users to bypass the sanitizer and execute arbitrary HTML/script code in the context of the victim's browser.

PROOF OF CONCEPT

1) Sign in to your paypal account

2) Go to category: Tools > Forms of Payment

3) Click on Create a new payment format

4) Complete the form and click Submit

5) Go to: Manage payment formats > Edit the created payment format >

6) Memo or "Reminder Note" > Edit > Here we insert our payload, i.e: "><img src=x on error=prompt(document.domain)> > Click on Saved

7) The XSS will be executed successfully.

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

SOLUTION

-

REVISION HISTORY

December 13, 2015 Initial release

DISCLOSURE TIMELINE

  • February 25, 2017   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • February 25, 2017   Contact with Paypal Security Team.
  • February 27, 2017   Vendor Response/Feedback.
  • February 27, 2017   Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.