This is a very clever attack method, and indeed an issue that should be taken seriously. Also, as an eBay user it is very disappointing to see that eBay did not respond to you guys, but this does not seem to be out of the norm for them :( Last year I found a way to circumvent some of the eBay restrictions on code, and it can be used to achieve the same results as outlined in this mailing (session riding vuln). Typically eBay will filter script tags and the like to prevent malicious code from being included in auctions, and the about me page however we can manipulate the document object model to include nasty code, and do some bad things. Here is a sloppy POC I literally threw together in a few minutes, but it works flawlessly with firefox browser. http://cgi3.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=jahmin79 I have written a paper on the details of this issue, and simply refer to it as "Document Object Model Hijacking" because we can turn trusted elements on the page into elements we control by influencing the DOM. http://www.gulftech.org/?node=article&article_id=00055-12182004 I have no intentions of causing anyone any harm, so I have not bothered to go VERY in depth with this issue in regards to eBay, but the potential for harm is definitely there. Yes, I have tried over and over to contact eBay and have even seeked help from others in the security community to contact them regarding this issue to no avail. I hope after seeing your guys post, and my follow up to it that eBay will act accordingly and resolve these two security issues as it puts their customers at risk. James -----Original Message----- From: Paul J Docherty [mailto:PJD@xxxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, April 19, 2005 1:46 AM To: bugs; Bugtraq; secunia Subject: Portcullis Security Advisory 05-012 Ebay Session Riding Vulnerability Portcullis Security Advisory Original Bugtraq posting 08 April 2005, Resend 19 April 2005. Vulnerable System: This vulnerability affects EBay the auction websites. Vulnerability Title: Session Riding/Cross Site Request Forgery Attack. Vulnerability discovery and development: This issue was conceived by James Fisher having read the paper "Session Riding"[1] which was posted to the web application security mailing list 15th December 2005. The issue was further researched and developed to the point of Proof of Concept by Dave Armstrong with additional input from Martin Murfitt. Successful exploitation of this issue allows malicious users to list an item for auction in such a way that any subsequent user who views the item automatically places a bid for that item with the value being bid under the control of the malicious user. This does however require that the user who views the item has logged into eBay. Affected systems: This issue affects the eBay auction web sites. Details: All that is required to expose this issue is placing an item listing for auction on eBay and adding a link to an off-site image. This link in reality would point to a CGI script that instead of returning an image returns a (HTTP 302) redirect response, referring the user back to the eBay URL to automatically submit a bid. An example of a typical URL: http://offer.ebay.co.uk/ws/eBayISAPI.dll?MfcISAPICommand=MakeBid&item= [ITEM ID]&maxbid=%A3[BID]&quant=1&javascriptenabled=1&mode=1 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 4/19/2005
