Wednesday, September 25, 2013

Arbitrary File Upload in Paypal's http://apps.paypal.com

This was one of many vulnerabilities that I had found in http://apps.paypal.com as a part of their bug bounty program. This is one of their developer portals which is hosted on Apache/2.2.22 and running Drupal 7. I reported this issue to Paypal on May 19 2013. 
Here are some of the details of the bug:
After logging into the portal we can create applications suited to the developer environment and with this it allowed to upload supporting files (Ad Hoc files required for mobile app submissions). I uploaded a simple "txt" file and it generated an external link to the file (https://apps.paypal.com/system/files/test_###.txt).


The upload allowed all type of extensions (*.jpg,*.txt,*.gzip,*.php,*.jar,*exe etc) and didn't validate the same on the server end. I tried uploading a simple php shell but sadly it didn't work :(.
I tried the "XSS via SWF upload" which was blogged by Soroush Dalili (here for more details). I uploaded the "xssproject.swf" file and got an external link (https://apps.paypal.com/system/files/xssproject.swf).









The vulnerability was fixed immediately after it was reported to the security team.
Happy hunting!! cheers!!