Security experts at Vulnerability Laboratory published a new report on a recently patched SQL vulnerability on PayPal’s website. The critical flaw, which allowed hackers to inject commands through the web app into the backend databases, could be exploited remotely.
In early January the researchers produced a proof-of-concept demo and reported the flaw to PayPal. The bug was patched in late January.
According to the Vulnerability Laboratory, the flaw was not abused. The researchers said that the vulnerability was located in the analysis all review module with the bound vulnerable page id parameter listing.
Successful exploitation of the bug resulted in web application context manipulation via DBMS injection, website defacement, hijack of database accounts via DBMS extract, information disclosure of database content, data lost or full DBMS compromise.
“When a customer is processing to request the link to, for example, page 7 the server will include the integer value not encoded or parsed in the URL path,” – report stated.
Benjamin Kunz Mejri of Vulnerability Laboratory claimed the attackers could change the integer page with SQL statements to compromise the DBMS app, as well as all PayPal accounts.
The Polish security firm stated: “The second problem is the server is bound to the main site auth which allows after a SQL and DBMS compromise via inject to exploit the bound PayPal Inc. services. Attackers can access all database tables and columns to steal the GP+ database content and disclose information, deface the website phish account or extract database password/username information.”
Advisory by the Polish researchers suggests that the vulnerability could be patched by a “secure parse of the page parameter request when processing to list via GET method”.
