Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[super very critical] RCE and Unlimited Credits PayPal vulnerability. #43

Merged
merged 2 commits into from
Jan 8, 2017
Merged

[super very critical] RCE and Unlimited Credits PayPal vulnerability. #43

merged 2 commits into from
Jan 8, 2017

Conversation

sanasol
Copy link

@sanasol sanasol commented Jan 8, 2017

Checks if payment notify recieved from paypal servers.
Prevent two critical bugs.
Special request to paypal notify with bypass of paypal reciever email
check.

  1. Creates executable .php file in payments log folder via
    saveDetailsToFile() function.
  2. Sending fake completed payment to get unlimited credits.

Hack report example:

https://gist.github.com/S-anasol/9c91d92686bd0e882ee672a394fa1567#file-gistfile1-txt-L45-L48
Highlighted lines is bug execution example.
Bypass paypal email check(receiver_email) and create shell file(txt_id)
with any code inserted into any request variable.

@sanasol
[super very critical] RCE and Unlimited Credits PayPal vulnerability.
9480a80 
Checks if payment notify recieved from paypal servers.
Prevent two critical bugs.
Special request to paypal notify with bypass of paypal reciever email
check.
1. Creates executable .php file in payments log folder via
saveDetailsToFile() function.
2. Sending fake completed payment to get unlimited credits.

Hack report example:

https://gist.github.com/S-anasol/9c91d92686bd0e882ee672a394fa1567#file-gistfile1-txt-L45-L48
Highlighted lines is bug execution example.
Bypass paypal email check(receiver_email) and create shell file(txt_id)
with any code inserted into any request variable.
@sanasol
Copy link
Author

sanasol commented Jan 8, 2017
edited by MishimaHaruna
Loading

<link temporarily removed>

@MishimaHaruna MishimaHaruna merged commit 98fd819 into HerculesWS:master Jan 8, 2017
@MishimaHaruna
Copy link
Member

Merged, thank you very much

@MishimaHaruna MishimaHaruna mentioned this pull request Jan 8, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanasol @MishimaHaruna