eBay has patched three vulnerabilities found in its Magento shopping platform that could have allowed for hijacking sessions and man-in-the-middle (MitM) attacks. Hadji Samir, a penetration tester with Vulnerability Labs, released technical descriptions of a persistent input validation web vulnerabiility, a cross-site scripting (XSS) hole, and a cross-site request forgery (CSRF) bug in Magento on Full Disclosure last week.
"The vulnerability is located in the `filename` value of the image upload module," Samir said of the input web flaw he discovered. "The attacker needs to create a `New Message` with upload to change the filename to a malicious payload. The attack vector of the issue is located on the application-side and the request method to inject the script code is POST."
The second bug, a client-side XSS vulnerability, was found to be in the `general_front` values of the `/css/theme.less.php` front-end template file. It allowed remote attackers to potentially inject their own script codes to client-side application requests using GET. While active, the attack vector was non-persistent, Samir explained in a post. The third and final vulnerability, a CSRF web bug, was located in the `create messages` input of the `magento-connect/message/message/create/` module and allowed remote attackers to delete users' internal Magento messages via accessing other low privilege user accounts without authorization. According to Samir's technical description of the vulnerability, the issue was disclosed to the phpbb board "some years ago". In addition to publishing posts on each of the bugs, Samir has released proof of concept videos demonstrating how attackers could have used the vulnerabilities to intercept session data and then phish for additional information from users. One of these videos is posted below: The Vulnerability Lab researcher found the XSS vulnerability back in February of this year and the other two bugs approximately one month later, according to Threatpost. He submitted all three vulnerabilities to eBay that same month as part of its bug bounty program. The e-commerce site, which was breached back in the spring of 2014, responded to Samir in April and developed a patch for release last month.
