14 DAY TRIAL // A filter bypass and persistent input validation web vulnerability has been discovered in the ProStore application front- and backend of the ebay-owned Magento e-commerce platform.
Benjamin Kunz Mejri, researcher at Vulnerability Laboratory, uncovered the flaw that could be exploited remotely, back in May, 2014, and reported it to the company, which released the fix at the end of July.
According to the advisory from Vulnerability Laboratory, the filter bypass glitch resides in the regular registration form on the eBay ProStore application service, and an attacker would be able to get by the framework restriction for the user’s first and last name input fields.
Intruders would then be able to inject payloads “by holding ‘strg+v’ (combo - copy-paste) to keep the payload inside of the input field.” Then the attacker can click the send button.
It appears that the filter protection of the application and API do not need other type of validation, and the attacker is thus able to send the script code in the values for the first and last name.
“After the first save of the input value and jump to the payment via PayPal menu the attacker can save one string per request to the user credentials. By including in the first request procedure only one payload in for example the first name value, the attacker can include via the same way also in the last-name after activating a paypal payment account,” says the advisory.
Taking advantage of this issue does not entail the use of a high-privileged user account or any interaction from the user.
As far as the persistent input validation glitch is concerned, it is present in the cardholder value of the payment information and payment details module.
Exploiting it does not require accounts with elevated privileges and can be carried out remotely, but leveraging the filter bypass flaw is necessary, as well as low or medium user interaction.
In the advisory, Mejri provides the necessary steps for the proof-of-concept. After registering a Magento ProStore account for testing, a payload is included in the lastname field and sent away. A redirect to include the payment information and a PayPal account link should appear.
Another redirect ensues, to the first registration step, with the linked account. For the fifth step, “you press strg+v and hold it for including in the firstname (only one input per loop), press next to it via mouse the send button and complete the procedure of registration.”
The final stage of the hack is to log into the control panel of the store and visit the payment information URL.
A video has also been created, demonstrating the successful exploitation of the vulnerability. You can watch it below.
