Remote code-execution vulnerability on Ebay website discovered by a Pentester

A security pen tester from Germany @secalert discovered remote code execution vulnerability on ebay website.

As per David Vieira-Kurtz blog , “I found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax. ”  

David exploited the RCE flaw on ebay.com website and displayed output of phpinfo() PHP function on the web page  by modifying the url and injecting code to the function.

Video regarding this vulnerability can be found here.

 

The researcher reported this vulnerability to ebay and this big has been fixed as per his blog

 

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>