Wednesday, September 25, 2013

Arbitrary File Upload in Paypal's http://apps.paypal.com

This was one of many vulnerabilities that I had found in http://apps.paypal.com as a part of their bug bounty program. This is one of their developer portals which is hosted on Apache/2.2.22 and running Drupal 7. I reported this issue to Paypal on May 19 2013. 
Here are some of the details of the bug:
After logging into the portal we can create applications suited to the developer environment and with this it allowed to upload supporting files (Ad Hoc files required for mobile app submissions). I uploaded a simple "txt" file and it generated an external link to the file (https://apps.paypal.com/system/files/test_###.txt).


The upload allowed all type of extensions (*.jpg,*.txt,*.gzip,*.php,*.jar,*exe etc) and didn't validate the same on the server end. I tried uploading a simple php shell but sadly it didn't work :(.
I tried the "XSS via SWF upload" which was blogged by Soroush Dalili (here for more details). I uploaded the "xssproject.swf" file and got an external link (https://apps.paypal.com/system/files/xssproject.swf).









The vulnerability was fixed immediately after it was reported to the security team.
Happy hunting!! cheers!!

7 comments:

  1. Nice catch dude! what other vulnerabilities you found in that domain?

    ReplyDelete
  2. @anon Thanks a lot.. I will blog about them soon.

    ReplyDelete
  3. Prajal,

    Good one! I small have doubt. Is it enough we send out an plain email to security team or its mandatory to encrypt and send via key they provided? How did you report actually?

    ReplyDelete
    Replies
    1. Use the PGP key http://tinyurl.com/k8x4pdu

      Delete
    2. Thanks! I reported Prajal. They provided an UID but where to search with that ID to know the status?

      Delete
  4. They will send u a status update soon.

    ReplyDelete