Vulnerability Type: Privilege Escalation
Vulnerable Website: https://www.paypal-labs.com
Status: Fixed
Vulnerability Overview: This vulnerability allowed an attacker to delete any user registered in paypal-labs.com.
Details/Write-up:
I forgot to take screenshots but I am sure my detail write-up will clear everything.
First of all I registered here-
https://www.paypal-labs.com/
I had to login with my own Paypal account and then set the username. For e.g. sehgal
So, my account page was-
https://www.paypal-labs.com/
Then after heading to account settings page, I found that there was a option to delete our own account.
Deletion link of my account was-
https://www.paypal-labs.com/loginwithpaypal/sehgal/delete-user.php?id=2134
where "2134" was my User-ID.
I tried to change the "2134" value to someone's else User-ID and sent the request.
Arghh! Error.. I was unable to delete it. Nevermind, no token was passed while request.
Vulnerable Website: https://www.paypal-labs.com
Status: Fixed
Vulnerability Overview: This vulnerability allowed an attacker to delete any user registered in paypal-labs.com.
Details/Write-up:
I forgot to take screenshots but I am sure my detail write-up will clear everything.
First of all I registered here-
https://www.paypal-labs.com/
I had to login with my own Paypal account and then set the username. For e.g. sehgal
So, my account page was-
https://www.paypal-labs.com/
Then after heading to account settings page, I found that there was a option to delete our own account.
Deletion link of my account was-
https://www.paypal-labs.com/loginwithpaypal/sehgal/delete-user.php?id=2134
where "2134" was my User-ID.
I tried to change the "2134" value to someone's else User-ID and sent the request.
Arghh! Error.. I was unable to delete it. Nevermind, no token was passed while request.
Cheers! Found CSRF. But THAT'S NOT MUCH EFFECTIVE.
So, I continued testing and came with very cool link. :)
Remember my deletion link?
It was-
https://www.paypal-labs.com/loginwithpaypal/sehgal/delete-user.php?id=2134
I tried to modify URL a bit. Put "admin" in place of my username. I tried to delete the user with User-ID 2145. Final link becomes like this-
https://www.paypal-labs.com/loginwithpaypal/admin/delete-user.php?id=2145
BOOM! User got deleted. Edit URL and change "id" attribute to any USER-ID and it will delete the user without any verification.
Paypal rewarded me with 2000$ for reporting this vulnerability.
Posts
4 comments
Nice findings :) (y)
ReplyThx! :D
Reply
ReplyWhat you get from RSC Bux - Main Benefits :
Earn from home
Garneted ads daily
Detailed statistics
forum permissions
Upgrade plans
Instant Payment
Reach millions of clients
Easy management
Demographic filter
Affordable rates
Anti-cheat protection
Detailed statistics
WWW.RSCBUX.COM
bux
the rsc bux
advertising
perfect money
get Free Money Online
This one takes a bit of timing, and a lot of patience: as soon as you see the signs, get your child to the potty/toilet as quickly as you can (you might need to lift them up and run!), and put them on the toilet seat. Sit with him reading or with an iPad or whatever until he goes. Huge applause and reward. Repeat until the connection is made. I have found some good pottytrainingapp from searching google. You may try this apps for become a special potty trainer for your sons. Thanks.
ReplyPost a Comment