Remote code execution on EBay
In the world of information security, not everything is as smooth as we would like. There are a lot of examples of this, it is worth looking at the latest news on thematic sites, as the thought comes to mind that sometimes even the largest companies are not paying enough attention to information security. This time, EBay came under sight.
For those who are not familiar with EBay, I advise to follow the link , and we continue.
December 13 of this year, David Vieira-Kurz, discovered on one of the sub-domains of ebay , remote code execution, or simply RCE.
The vulnerable part of the code was located on the sea.ebay.com domain, in the search functionality. A typical search link looks like this:
Great, the result is received.
Given that this vulnerability is critical, it can be assumed that if David was a black hacker, the web server would be in his pocket, and access to the database of the main domain is not excluded.
Since David did not pursue selfish goals, he reported on the vulnerability of those. support ebay, which in a short time eliminated this hole. Since the author did not look at the source code of the script, an assumption appeared that the vulnerable section of code looks like this:
In addition to the text, there is also a video with a demonstration:
Check your code for similar sites, it can protect you in the future.
For those who are not familiar with EBay, I advise to follow the link , and we continue.
December 13 of this year, David Vieira-Kurz, discovered on one of the sub-domains of ebay , remote code execution, or simply RCE.
The vulnerable part of the code was located on the sea.ebay.com domain, in the search functionality. A typical search link looks like this:
sea.ebay.com/search/?q=david&catidd=1 sea.ebay.com/search/?q=david&catidd=1 . But it's not so simple, because php uses dynamic typing, which means that the appearance of pitfalls is possible. The first thing David sent instead of a string is an array of q []. But in response came a normal result, characteristic of the query type of the string. After that, the resolver decided to send several elements of the q [] array at once, and, as one of the elements, transfer php code to call the phpinfo function. As a result, the query string acquired the form: sea.ebay.com/search/?q=1&catidd=1&q[0]=2&q[1]={${phpinfo()}}Great, the result is received.
Given that this vulnerability is critical, it can be assumed that if David was a black hacker, the web server would be in his pocket, and access to the database of the main domain is not excluded.
Since David did not pursue selfish goals, he reported on the vulnerability of those. support ebay, which in a short time eliminated this hole. Since the author did not look at the source code of the script, an assumption appeared that the vulnerable section of code looks like this:
foreach($_GET['q'] as $data) { if ($data ) { eval(" $data"); } } In addition to the text, there is also a video with a demonstration:
Check your code for similar sites, it can protect you in the future.
')
Source: https://habr.com/ru/post/206566/
All Articles