Wednesday, September 25, 2013

Arbitrary File Upload in Paypal's http://apps.paypal.com

This was one of many vulnerabilities that I had found in http://apps.paypal.com as a part of their bug bounty program. This is one of their developer portals which is hosted on Apache/2.2.22 and running Drupal 7. I reported this issue to Paypal on May 19 2013. 
Here are some of the details of the bug:
After logging into the portal we can create applications suited to the developer environment and with this it allowed to upload supporting files (Ad Hoc files required for mobile app submissions). I uploaded a simple "txt" file and it generated an external link to the file (https://apps.paypal.com/system/files/test_###.txt).


The upload allowed all type of extensions (*.jpg,*.txt,*.gzip,*.php,*.jar,*exe etc) and didn't validate the same on the server end. I tried uploading a simple php shell but sadly it didn't work :(.
I tried the "XSS via SWF upload" which was blogged by Soroush Dalili (here for more details). I uploaded the "xssproject.swf" file and got an external link (https://apps.paypal.com/system/files/xssproject.swf).









The vulnerability was fixed immediately after it was reported to the security team.
Happy hunting!! cheers!!

12 comments :

  1. Nice catch dude! what other vulnerabilities you found in that domain?

    ReplyDelete
  2. @anon Thanks a lot.. I will blog about them soon.

    ReplyDelete
  3. Prajal,

    Good one! I small have doubt. Is it enough we send out an plain email to security team or its mandatory to encrypt and send via key they provided? How did you report actually?

    ReplyDelete
    Replies
    1. Use the PGP key http://tinyurl.com/k8x4pdu

      Delete
    2. Thanks! I reported Prajal. They provided an UID but where to search with that ID to know the status?

      Delete
  4. They will send u a status update soon.

    ReplyDelete
  5. Packers and movers Noida @ http://www.noidapackers.co.in/
    packers and movers noida sector 12 @ http://www.noidapackers.co.in/
    packers and movers noida sector 53 @ http://www.noidapackers.co.in/
    packers and movers noida sector 51 @ http://www.noidapackers.co.in/
    packers and movers noida sector 50 @ http://www.noidapackers.co.in/
    packers and movers noida sector 49 @ http://www.noidapackers.co.in/
    packers and movers noida sector 41 @ http://www.noidapackers.co.in/
    packers and movers noida sector 39 @ http://www.noidapackers.co.in/
    packers and movers noida sector 62 @ http://www.noidapackers.co.in/
    packers and movers noida sector 61 @ http://www.noidapackers.co.in/

    ReplyDelete

  6. Delhi packers and movers @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Movers and packers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/

    ReplyDelete

  7. Delhi packers and movers @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Movers and packers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/

    ReplyDelete
  8. Every cent every penny of each trench are spending their hard earned money to make, but ever ask of anyone anywhere descargar whatsapp plus gratis , play unblocked games very nice , free unblocked games at school online to play , descargar whatsapp gratis , unblocked games 77 , unblocked games online

    ReplyDelete