PayPal Filter Bypass hits millions of users

Cybersecurity experts from the vulnerability-lab.com have found a Filter Bypass vulnerability in the PayPal application which allows the exploiter to insert payloads.

Exploitation of the persistent web vulnerability requires a low privileged paypal application user account and only low user interaction.

Successful exploitation of the vulnerability results in persistent session hijacking, persistent phishing, persistent external redirects, persistent manipulation of affected or connected module web context.

The report reads that once the attacker has gained access, the following will be possible:

A remote attacker is able to create multiple customer orders with injected payloads. When the admin merchant account user logs in and checks the Paypal Multi Online Shipping Orders, the
exploit gets triggered.

Proof of Concept (PoC):

The filter bypass and persistent validation web vulnerability can be reproduced by remote attackers with low privileged application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Note: You need two accounts to produce this PoC, #1 the Main Business Account and #2, the second low privileged user with limited access to only Paypal Multi Online Shipping Module.

  1. Login to the shipping application as the Low Priviledged user
  2. Goto Settings > Shipping Presets > Create Shipping Preset
  3. Enter dummy data for a test
  4. Fill up input fields with dummy data and before clicking ‘Save’, intercept the POST request using Tamper data or any other http proxy intercepting tool
  5. Fill dummy data in all other fields (I used digits only during the POC)
  6. Intercept the POST request and enter the payload under the <PresetName> field and click OK
  7. Refresh your browser once, you should now have a new preset added in the shipping application

Multi User Accounts: PoC
To reproduce successfully, Log in the shipping application, as the priviledged user, Goto settings and you will get a javascript popup proving the existance of this vulnerability.

Read more about this vulnerability at the source.