Sunday, March 17, 2013
The expert identified a serious vulnerability in the PayPal subdomain
Using this vulnerability, an attacker could upload different file server PayPal formatov.Istochnikom vulnerability became an old version of CMS DotNetNuke, which allows you to upload files to the sites of the following formats: docx, xlsx, pptx, swf, jpg, jpeg, jpe, gif, bmp, png, doc, xls, ppt, pdf, txt, xml, xsl, css, zip and spin.
According to the expert, using the vulnerability by cybercriminals to upload malicious files. For example, downloading a malicious swf-file, they can create online XSS-vulnerability, with the infected files: docx, pptx, xls or pdf - upload BillMeLater client exploits, and in a file format hackers could download txt message letting deface site.
Experts argue that tried to load the shell, which would enable it to execute arbitrary code. However, his attempts were unsuccessful, as the server software has been updated in a timely manner.
Prakhar Prasad has revealed the vulnerability of the above on March 1, immediately notifying PayPal. Specialists PayPal immediately closed vulnerability, Prasad received from the payment system fee of $ 5000 (3800 euros).ms of cybercrime immediately change your password to access your account.