Showing posts from January, 2013

SQL Injection Vulnerability in ebay sub domains

Title : SQL Injection Vulnerability in sub domains Author : Yogesh D Jaygadkar Reported : December 27, 2012 Fixed : Jan 15, 2013 Public Released : Jan 25, 2013 Thanks To : Darshit Ashara Greets : Rahul Bro, Aasim, Sandeep, Sagar Description : Last Month I reported SQL Injection vulnerabilities in  sub domains. You can see how many days they took for patching & allowing me to publish the vulnerability. But finally they fixed it & listed me in their Researchers Acknowledgement Page . Like every other bounty hunter I was also searching for some vulnerability in EBAY. That time I have no idea that Ebay don’t give bounty for any vulnerability. Not even for SQL Injection. :) POC: Sub Domains: & Page: searchAnnoucement.php searchAnnoucement.php Vulnerable Parameter: “ checkbox” Array POST parameter. Search option in ab

Password Reset Vulnerability in

Title :  Password Reset Vulnerability in Vuln URL : Author : Yogesh D Jaygadkar Reported : December 30, 2012 Fixed : December 30, 2012 Public Released :  Jan 08, 2013   Description : In, when users reset their password, they receives password reset link which is as below.[User Email ID]&code=[Token code]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1 When I received this mail, I started playing with this link. I noticed that token is not getting validated from server side. So I removed it & tested with my own id.  Final POC :[victim user's email ID]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1 And Password changed successfully.   Finally I