Portcullis Security Advisory Original Bugtraq posting 08 April 2005, Resend 19 April 2005. Vulnerable System: This vulnerability affects EBay the auction websites. Vulnerability Title: Session Riding/Cross Site Request Forgery Attack. Vulnerability discovery and development: This issue was conceived by James Fisher having read the paper "Session Riding"[1] which was posted to the web application security mailing list 15th December 2005. The issue was further researched and developed to the point of Proof of Concept by Dave Armstrong with additional input from Martin Murfitt. Successful exploitation of this issue allows malicious users to list an item for auction in such a way that any subsequent user who views the item automatically places a bid for that item with the value being bid under the control of the malicious user. This does however require that the user who views the item has logged into eBay. Affected systems: This issue affects the eBay auction web sites. Details: All that is required to expose this issue is placing an item listing for auction on eBay and adding a link to an off-site image. This link in reality would point to a CGI script that instead of returning an image returns a (HTTP 302) redirect response, referring the user back to the eBay URL to automatically submit a bid. An example of a typical URL: http://offer.ebay.co.uk/ws/eBayISAPI.dll?MfcISAPICommand=MakeBid&item= [ITEM ID]&maxbid=%A3[BID]&quant=1&javascriptenabled=1&mode=1 Users viewing the page that have not logged in simply receive a broken image, while logged in users silently place a bid on the item. They will remain unaware they have taken this action until the confirmation email is received or the user either refreshes the item or otherwise checks the items they have bid upon. This issue has not been tested with the "Buy Now" functionality. Additionally, although the EBay site normally uses a POST request with what appear to be session specific values to submit bids, it was discovered that removing these session values and changing the method to GET still generated a valid request that was accepted by the server. Impact: Items placed for auction can be controlled to the point of placing incremental bids, (value at the attackers discretion) without the users consent. This does however pose a minimal risk, as users are informed via email of their bid. Exploit: Portcullis have working POC code for this issue, however, this will not be published within this advisory until eBay has resolved the issue. Vendor Notified: EBay were notified first on 22 December 2004 via email to the support mail address and other standard email addresses such as postmaster, security, issues, bugs, abuse etc. The standard web contact form was completed and sent on 23 December 2004. Further emails were sent during January 2005, February 2005 and March 2005. Vendor Response: No response has been received. References: [1] http://www.securenet.de/papers/Session_Riding.pdf Copyright: Copyright (c) Portcullis Computer Security Limited 2005, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. ************************************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Any opinions expressed are those of the individual and do not represent the opinion of the organisation. Access to this email by persons other than the intended recipient is strictly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email is subject to the terms and conditions expressed in the applicable Portcullis Computer Security Limited terms of business. **************************************************************
