PayPal Marketing Remote Code Execution, Information Disclosure and XSSby
Today I will be writing about my experience with PayPal’s Bug Bounty Program and how I was able to discover a Remote Code Execution on one of their branded websites.
While audition PayPal-Marketing.comfor a few XSS vulnerabilities I came across a strange URL:
Which displayed the content of the 3 IDs provided in the link given. So I figured I may be able to execute SQL commands and hope for RCE. However that wasn’t the case. After a few tries I realized that my SQL Injection is irritating the getPartnerBasic function by producing errors disclosing the full path of the website and mentioning the getPartnerBasic() function. So I decided to replace getPartnerBasic with phpinfo and see if that would do something (I doubt it!). However the following process resulted in:
and I immediately reported the vulnerability to PayPal and received the following email:
Hey, Were you actually able to run any other commands or just get the version and PHPinfo? Thanks, PayPal Security Team
To make sure this isn’t lowered from and RCE to a information disclosure I replied to the PayPal Security Team with the following links which provided them with more information other than phpinfo
Paypal was extremely fast and patched the following vulnerability under 24 hours. Here’s the PoC Video:
Also, I would like to thank Stefano Vettorazzi for helping in the process of discovering this vulnerability.
04/10/2014 – Reported
04/11/2014 – Patched
04/14/2014 – Permission to disclose
I was also able to report an XSS in the search module of the PayPal-Marketing partner’s page by searching for a IMG tag injected with XSS.