14 DAY TRIAL // Security researcher Prakhar Prasad has identified a file upload vulnerability on a subdomain of PayPal’s BillMeLater.com that could have been exploited by an attacker to upload certain files on the servers used by the service.
The issue was caused by an outdated variant of the DotNetNuke CMS, which allowed the uploading of files with the following extensions: . docx, .xlsx, .pptx, .swf, .jpg, .jpeg, .jpe, .gif, .bmp, .png, .doc, .xls, .ppt, .pdf, .txt, .xml, .xsl, .css, .zip and .spin.
The expert has told Softpedia that an attacker could have caused some serious damage by uploading malicious-crafted files.
“.swf files could have caused to create SWF-based XSS issues in the website. .docx / .pptx / .xls / .pdf extensions could have been used to upload client-side exploits on BillMeLater server. As these extensions are typically handled by software like Microsoft Office Suite and Adobe Acrobat Reader,” Prasad explained.
“.txt extensions could have allowed a hacker to upload his deface message,” he added.
The expert says he has attempted to upload a shell that could have allowed him to execute arbitrary code. However, his attempts have failed because the web server software is up to date.
“If the server was IIS/6 then I could have got command execution there, due to a bug in file extension handling in IIS/6. But luckily the server was IIS/7.5,” he said.
The researcher identified the issue on March 1 and reported it to PayPal shortly after. The payment processor rushed to address the issue and rewarded the expert with $5,000 (3,800 EUR).