Hacker Found Vulnerability on EBay website - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner


Hacker Found Vulnerability on EBay website

David Vieira-Kurz, a Security researcher from Germany, has discovered an interesting Remote Code execution vulnerability in the eBay website. This time researcher found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax.

The vulnerable subdomain was the same where I found an exploitable SQL injection last year which is located at http://sea.ebay.com.The 'q' parameter in the 'search' page of South Asian Ebay domain is found to be vulnerable to remote code execution.

The researcher passed the 'q' parameter as array with a command that successfully got executed. they are provided a proof prints the information about the PHP running on the server


According to david "my point of view that was enough to prove the existence of this vulnerabilty to ebay security team and I don’t wanted to cause any harm. What could an evil hacker have done? He could for example investigate further and also try things like {${`ls -al`}} or other OS commands and would have managed to compromise the whole webserver."

Mr. David was released a proof of video regarding this Vulnerability(remote-code-execution)

However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter

No comments:

Post a Comment