RE: eBay Account Phishing with eBay Redirect - Ebay fixed this + related XSS hole

["Rager, Anton (Anton)" <arager () avaya com>]

It appears that Ebay finally removed this redirector CGI. In the process
they eliminated/fixed another flaw with that same CGI that allowed XSS
attacks. I reported this issue to Ebay around the time this redirection
CGI originally hit bugtraq, but never heard back on resolution.

The redirector CGI on Ebay's cgi4.ebay.com server would also accept URLs
with a javascript: tag as well as the reported "http://"; URLs. This
allowed an XSS attack against the document.domain of cgi4.ebay.com.
cgi4.ebay.com appears to be used for some account admin functions --
this attack could have allowed theft of Ebay cookies for account
impersonation, or session hijacking with something like my XSS-Proxy
tool. Impact of XSS could have been access to account admin functions as
the impersonated/hijacked victim. The window of opportunity was somewhat
small as cgi4.ebay.com requires re-authentication for fiddling with
account stuff -- but after a user has authenticated once to
cgi4.ebay.com it doesn't ask for additional auth during session, and an
attacker would have been able to view/modify some account info.

Here's a basic example that used to work before:
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D
omainUrl=javascript:alert('test');

This appears to have been fixed so is only a historical note at this
point.

I've found stuff like this with related redirector logic on other sites,
so perhaps this is useful to others. I've also found that frequently
these sorts of redirection CGIs can also have a HTTP response-header
splitting vulnerability (with the location: tag in the redirect) that
can also be used for XSS (and other attacks), but I didn't test for this
with the Ebay redirector.
(see Amit's excellent paper on response splitting at:
http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf)


Regards,

Anton Rager
arager () avaya com

-----Original Message-----
From: Steven [mailto:steven () lovebug org] 
Sent: Saturday, February 12, 2005 11:09 PM
To: incidents () securityfocus com; bugtraq () securityfocus com
Subject: eBay Account Phishing with eBay Redirect

I am not sure if this is better served by incidents or bugtraq, but in
any 
event here it is.  I frequently get the fake looking e-mails phishing
for my 
Paypal, eBay, and banking login/password information.  Generally the
links 
to the spoofed webpages are just links to a fake page with a modified A
HREF 
tag.  However, it appears someone has found that eBay's actual page has
a 
command to redirect to a specified webpage.  While this shouldn't be a
big 
risk, it still poses a small one and is being actively exploitated.

The page actually appears to link to eBay and it does, the link below is
the 
one I received in my inbox recently.

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D
omainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39%36%2E%37%2FUpdateCente
r%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhg
TDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqz
eHAAeMWZlHhlWXh

Simply:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D
omainUrl=www.website.com


Steven
steven () lovebug org