|[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive]||[home]|
Multiple PHP Toolkit for PayPal Vulnerabilities
Versions affected: PHP Toolkit for PayPal v0.50 (and may be prior)
Date: 12th January 2006
Type of Vulnerability: Sensitive Information Disclosure and Payment System Bypass
Solution Status: Unpatched
Vendor was notified on 9th January 2006 without answer
Discovered by: .cens, uinC Team
Online location: http://www.uinc.ru/articles/vuln/ptpaypal050.shtml
From vendor web-site:
"The PHP Toolkit provides a set of scripts that faciliatate the integration of PayPal into an ecommerce service. It provides scripts that generate a PayPal form dynamically as well as scripts to process Instant Payment Notifications."
1) Payment System Bypass
If the payment through PayPal.com was completed successfully, payment data is transferred to ipn.php, which in turn executes ipn_success.php, passing it the parsed payment data as parameters using POST request. ipn_success.php will enter the passed data straight into log file without verifying where this data came from. This means, an attacker can reproduce the POST request and enter the details of the successful payment into the log file even if there was no payment through PayPal.com
2) Sensitive Information Disclosure
PHP Toolkit for PayPal vendor documentation recommends to set permissions for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php suggests that the payment data log file is "logs/ipn_success.txt", which, if installed according to documentation, will have global read permission. As a result, anyone is able to view the transaction data.
[c] .cens, uinC Team
Все документы и программы на этом сайте собраны ТОЛЬКО для образовательных целей, мы
не отвечаем ни за какие последствия, которые имели место как следствие использования
этих материалов\программ. Вы используете все вышеперечисленное на свой страх и риск.
|Underground InformatioN Center [&vulnerability]|
|2000-2015 © uinC Team|