Paypals X.com Failure to Restrict Url Access Vulnerability
I want to share one of my finding on Paypals X.com which I have reported to them in 3 January 2013.
I have found that Paypal X.com following Url https://www.x.com/sites/
was vulnerable to Failure to Restrict Url Access Vulnerability as the
email Attachments Url can be accessed without Login or Authentication
nor there was any Authorization check or prevention to mitigate this
attack.
Steps to Regenerate the Vulnerability:
1. Create two X.com Users account for testing or for regenerating the vulnerabiltity.
2.
Using the 1st(ajaysinghnegi01) user account then I have composed an
email message using the compose feature and attached a file named:
failure to restrict url vul for any attachments.txt and then I have sent
that mail to the 2nd(ajaysinghnegi02) user account.
3.
The 2nd user can access that attached file using by logging into his
account and by checking the recieved emails attachment by accessing the
followiing Url
https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt.
4.
As this path is same for all email users emails attachments
https://www.x.com/sites/default/files/ so the attacker crafts the Url
from https://www.x.com/sites/default/files/ to
https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt
by adding the file name with the file extention and also he replaced
each space with underscore(_). So he succesfully crafted the failure to
restrict Url
https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt
to access any other X.com users attachments without logging.
Failure to Restrict Vulnerable Url(For Regenerating this Vulnerability Open this Url in Any Browser Without Login):
Impact: Using this Failure to Restrict Url Access Vulnerability an attacker can
easily Read & Download all the private email attachments without
logging and all the X.com users were vulnerable to this attack.
Recommendation:
The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.
The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.
The
enforcement mechanism(s) should deny all access by default, requiring
explicit grants to specific users and roles for access to every page.
If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.
The vulnerability was mitigated by Paypal Security Team within 3 days.
So
in this way I was able to Read & Download Paypals X.com Users
Private Email Attachments also this way can be used to find same type of
vulnerabilities on different websites.
Suggestions and Feedbacks are welcome.
No comments:
Post a Comment