It appears that Ebay finally removed this redirector CGI. In the process they eliminated/fixed another flaw with that same CGI that allowed XSS attacks. I reported this issue to Ebay around the time this redirection CGI originally hit bugtraq, but never heard back on resolution. The redirector CGI on Ebay's cgi4.ebay.com server would also accept URLs with a javascript: tag as well as the reported "http://"; URLs. This allowed an XSS attack against the document.domain of cgi4.ebay.com. cgi4.ebay.com appears to be used for some account admin functions -- this attack could have allowed theft of Ebay cookies for account impersonation, or session hijacking with something like my XSS-Proxy tool. Impact of XSS could have been access to account admin functions as the impersonated/hijacked victim. The window of opportunity was somewhat small as cgi4.ebay.com requires re-authentication for fiddling with account stuff -- but after a user has authenticated once to cgi4.ebay.com it doesn't ask for additional auth during session, and an attacker would have been able to view/modify some account info. Here's a basic example that used to work before: http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D omainUrl=javascript:alert('test'); This appears to have been fixed so is only a historical note at this point. I've found stuff like this with related redirector logic on other sites, so perhaps this is useful to others. I've also found that frequently these sorts of redirection CGIs can also have a HTTP response-header splitting vulnerability (with the location: tag in the redirect) that can also be used for XSS (and other attacks), but I didn't test for this with the Ebay redirector. (see Amit's excellent paper on response splitting at: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf) Regards, Anton Rager arager@xxxxxxxxx -----Original Message----- From: Steven [mailto:steven@xxxxxxxxxxx] Sent: Saturday, February 12, 2005 11:09 PM To: incidents@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx Subject: eBay Account Phishing with eBay Redirect I am not sure if this is better served by incidents or bugtraq, but in any event here it is. I frequently get the fake looking e-mails phishing for my Paypal, eBay, and banking login/password information. Generally the links to the spoofed webpages are just links to a fake page with a modified A HREF tag. However, it appears someone has found that eBay's actual page has a command to redirect to a specified webpage. While this shouldn't be a big risk, it still poses a small one and is being actively exploitated. The page actually appears to link to eBay and it does, the link below is the one I received in my inbox recently. http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D omainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39%36%2E%37%2FUpdateCente r%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhg TDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqz eHAAeMWZlHhlWXh Simply: http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D omainUrl=www.website.com Steven steven@xxxxxxxxxxx
