Mr.Faxanadu
04-19-2005, 04:10 PM
Got this from a friiend in IT. It sounds like it's possible to make an auction page such that the ebay thinks the next person who views it actually bid on it. X_x
Here's the bulliten:
Vulnerable System:
This vulnerability affects EBay the auction websites.
Vulnerability Title:
Session Riding/Cross Site Request Forgery Attack.
Vulnerability discovery and development:
This issue was conceived by James Fisher having read the paper "Session
Riding"[1] which was posted to the web application security mailing list
15th December 2005. The issue was further researched and developed to
the point of Proof of Concept by Dave Armstrong with additional input
from Martin Murfitt.
Successful exploitation of this issue allows malicious users to list an
item for auction in such a way that any subsequent user who views the
item automatically places a bid for that item with the value being bid
under the control of the malicious user. This does however require that
the user who views the item has logged into eBay.
Affected systems:
This issue affects the eBay auction web sites.
Details:
All that is required to expose this issue is placing an item listing for
auction on eBay and adding a link to an off-site image. This link in
reality would point to a CGI script that instead of returning an image
returns a (HTTP 302) redirect response, referring the user back to the
eBay URL to automatically submit a bid.
An example of a typical URL:
http://offer.ebay.co.uk/ws/eBayISAPI.dll?MfcISAPICommand=MakeBid&item=
[ITEM ID]&maxbid=%A3[BID]&quant=1&javascriptenabled=1&mode=1
Users viewing the page that have not logged in simply receive a broken
image, while logged in users silently place a bid on the item. They will
remain unaware they have taken this action until the confirmation email
is received or the user either refreshes the item or otherwise checks
the items they have bid upon. This issue has not been tested with the
"Buy Now" functionality.
Additionally, although the EBay site normally uses a POST request with
what appear to be session specific values to submit bids, it was
discovered that removing these session values and changing the method to
GET still generated a valid request that was accepted by the server.
Impact:
Items placed for auction can be controlled to the point of placing
incremental bids, (value at the attackers discretion) without the users
consent. This does however pose a minimal risk, as users are informed
via email of their bid.
Exploit:
Portcullis have working POC code for this issue, however, this will not
be published within this advisory until eBay has resolved the issue.
Vendor Notified:
EBay were notified first on 22 December 2004 via email to the support
mail address and other standard email addresses such as postmaster,
security, issues, bugs, abuse etc. The standard web contact form was
completed and sent on 23 December 2004. Further emails were sent during
January 2005, February 2005 and March 2005.
Vendor Response:
No response has been received.
References:
[1] http://www.securenet.de/papers/Session_Riding.pdf
Here's the bulliten:
Vulnerable System:
This vulnerability affects EBay the auction websites.
Vulnerability Title:
Session Riding/Cross Site Request Forgery Attack.
Vulnerability discovery and development:
This issue was conceived by James Fisher having read the paper "Session
Riding"[1] which was posted to the web application security mailing list
15th December 2005. The issue was further researched and developed to
the point of Proof of Concept by Dave Armstrong with additional input
from Martin Murfitt.
Successful exploitation of this issue allows malicious users to list an
item for auction in such a way that any subsequent user who views the
item automatically places a bid for that item with the value being bid
under the control of the malicious user. This does however require that
the user who views the item has logged into eBay.
Affected systems:
This issue affects the eBay auction web sites.
Details:
All that is required to expose this issue is placing an item listing for
auction on eBay and adding a link to an off-site image. This link in
reality would point to a CGI script that instead of returning an image
returns a (HTTP 302) redirect response, referring the user back to the
eBay URL to automatically submit a bid.
An example of a typical URL:
http://offer.ebay.co.uk/ws/eBayISAPI.dll?MfcISAPICommand=MakeBid&item=
[ITEM ID]&maxbid=%A3[BID]&quant=1&javascriptenabled=1&mode=1
Users viewing the page that have not logged in simply receive a broken
image, while logged in users silently place a bid on the item. They will
remain unaware they have taken this action until the confirmation email
is received or the user either refreshes the item or otherwise checks
the items they have bid upon. This issue has not been tested with the
"Buy Now" functionality.
Additionally, although the EBay site normally uses a POST request with
what appear to be session specific values to submit bids, it was
discovered that removing these session values and changing the method to
GET still generated a valid request that was accepted by the server.
Impact:
Items placed for auction can be controlled to the point of placing
incremental bids, (value at the attackers discretion) without the users
consent. This does however pose a minimal risk, as users are informed
via email of their bid.
Exploit:
Portcullis have working POC code for this issue, however, this will not
be published within this advisory until eBay has resolved the issue.
Vendor Notified:
EBay were notified first on 22 December 2004 via email to the support
mail address and other standard email addresses such as postmaster,
security, issues, bugs, abuse etc. The standard web contact form was
completed and sent on 23 December 2004. Further emails were sent during
January 2005, February 2005 and March 2005.
Vendor Response:
No response has been received.
References:
[1] http://www.securenet.de/papers/Session_Riding.pdf