Weaknesses allow for code injection, file inclusion and directory traversal

Apr 4, 2009 08:38 GMT  ·  By

A self-proclaimed ethical hacker has disclosed multiple bugs affecting the eBay UK website. On their own, or combined, these flaws can facilitate different attacks such as phishing, session cookie hijacking or expose secure information.

Screenshots of several proof-of-concept attacks against ebay.co.uk have been published by a white-hat hacker, going by the online handle of Methodman. He also previously reported cross-site scripting weaknesses in other high profile websites belonging to the likes of Kaspersky, ESET (NOD32), Avira or Intel.

Methodman is a member of a group of programmers and security enthusiasts calling themselves ]['€AM€LiT€ (Team Elite). The outfit runs a chat network utilizing the IRC and Direct Connect protocols. Additionally, they develop various software such as mods and plug-ins for NMDC (NeoModus Direct Connect).

According to the provided evidence, several bugs are being exploited to instrument different attacks. The first is a cross-site scripting weakness, resulting from poor input validation that can be used to inject rogue code into the page.

"Malicious people can inject JavaScript code to redirect users to eBay scam pages (phishing attacks)," advises Methodman. Additionally, stealing session cookies, serving malware through a hidden IFrame or hijacking user mouse clicks for malicious purposes (clickjacking), is also possible by exploiting this flaw.

A second vulnerability allows for unauthorized directory traversal and local file inclusion attacks on the Web server. "Attackers use directory traversal attacks to read arbitrary files on web servers, such as SSL private keys and password files," explains the hacker, who provided screenshots with content from the /etc/hosts and /etc/passwd files, as examples.

The URLs of the vulnerable pages have been partially blotted in the screenshots, in order to prevent possible ill-intent replication of the attacks. According to Methodman, attempts to notify eBay of the problem have gone unanswered so far. "The webmaster has been alerted about this BUT I have not received any response, so maybe all bugs still works [sic.]!" he wrote.

Methodman acknowledged a while ago in an e-mail to Softpedia that he was inspired to look for vulnerabilities in high profile websites by the similar actions of the now-defunct Romanian ethical hacking outfit HackersBlog.

Note: We have also alerted eBay about these security issues, using two different contact methods, and we will return with more information as/if it becomes available.

Update: An eBay representative has responded to our request for comment and has acknowledged the flaws. "eBay can confirm that one of its micro-project sites had some limited vulnerabilities to malicious hacking attempts. Since discovery last week, eBay can also confirm that we have since plugged these known vulnerabilities," he said.

The spokesperson also explained that the vulnerable pages were not connected to any sensitive data. "The sites in question were developed in the rapid iteration and deployment methodology we prefer for our micro-projects. Because we anticipate having an occasional vulnerability on these sites due to the speed with which they are developed and rolled out, they are never exposed to our full production servers and data until we are able to thoroughly and rigorously test their ability to comply with eBay’s stringent security standards. Because of our abundance of caution in approaching security, eBay can also confirm that NO customer data was compromised," he stressed.

Photo Gallery (5 Images)

Multiple vulnerabilities found in eBay.co.uk
IFrame injection on eBay.co.ukSession cookie revealing on eBay.co.uk
+2more