Jump to content


Photo

Serious vulnerability in PayPal sample


  • This topic is locked This topic is locked
9 replies to this topic

#1 motiz88

motiz88

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 14 April 2003 - 06:45 AM

Hey everyone,

The ColdFusion IPN sample, available from PayPal, contains a vulnerability which allows the execution of ColdFusion code - namely, the expression "Evaluate(TheField)" - effectively enabling a remote attacker to gain control of the system.

By sending strings such as "Evaluate('[statement1]')+Evaluate('[statement2]')+Evaluate..." in the FieldNames field, an unlimited number of (connected!) statements can be executed. On Windows systems, COM objects can be created (WScript.Shell or Scripting.FileSystemObject immediately come to mind) and used from within ColdFusion code, allowing remote attackers complete freedom to manipulate files, execute programs, create user accounts...

Check your code, people, and find an alternative to Evaluate... You can never know who might find the one little (or not so little) hole you've overlooked, and what they might do.

- Moti

#2 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 14 April 2003 - 10:50 AM

Thanks for bringing this up. We'll check into it. I believe the technique was derived from O'reilly who we generally consider reliable and sensitive to these issues: http://www.oreilly.com/lpt/a/2250

Is anyone aware of a safer means for retrieving the <post> string in ColdFusion?


Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn

#3 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 14 April 2003 - 01:45 PM

Does switching to "Form[TheField]" work and address the issue?

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn

#4 imstillatwork

imstillatwork

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 25 April 2003 - 04:00 PM

FORM variables are structers and should be treated as such. FORM[thefield] should be the ONLY way you should considering accessing this information. evaluate has its place, but not here.

FORM[thefield] is much faster also.

#5 nunamakt

nunamakt

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 17 August 2003 - 10:46 PM

You can also reference form fields as form.formfield.

Evaluate is typically used for dynamic formfield names. For example, if you have an update form from a database with multiple records. You can build a list of the database ID's and pass that as form.dbIDList, then loop through that list and handle the individual form elements properly. For example:

<form action="processMe.cfm" method="post">

Name: <input type="text" name="myName_1" value="Dave">
Favorite Color: <input type="text" name="color_1" value="Grey">

Name: <input type="text" name="myName_5" value="Ted">
Favorite Color: <input type="text" name="color_5" value="Red">

Name: <input type="text" name="myName_7" value="Sue">
Favorite Color: <input type="text" name="color_7" value="Violet">

<input type="hidden" name="dbIDList" value="1,5,7">
<input type="submit">
</form>


processMe.cfm
----------------------
<cfloop index="i" list="#form.dbIDList#">
<cfquery datasource="myDSN">
UPDATE mytable
SET myName = '#evaluate("form.name_#i#")#',
favoriteColor = '#evaluate("form.color_#i#")#'
WHERE user_ID = #i#
</cfquery>
</cfloop>


This would dynamically update the data correctly.



<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by imstillatwork
[br]FORM variables are structers and should be treated as such. FORM[thefield] should be the ONLY way you should considering accessing this information. evaluate has its place, but not here.

FORM[thefield] is much faster also.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Tom Nunamaker
Paladin Computers
tom@toshop.com
http://toshop.com/
Macromedia Certified Advanced ColdFusion Developer


#6 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 18 August 2003 - 03:36 PM

Being able to handle the fields generally is ideal since it changes to the IPN fields delivered doesn't require interface modifications by merchants and developers.

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn

#7 jmercmon

jmercmon

    Member

  • Members
  • PipPip
  • 14 posts

Posted 20 August 2003 - 06:32 PM

Would not the simple solution be to check the CGI_REMOTE_HOST or CGI_REMOTE_ADDR and if it is not the paypal server the abort the code.

Not to mention making your ipn code file a strange name would help and not using it in your buttons will also help.

#8 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 21 August 2003 - 01:17 PM

My understanding is that the remote host information is fairly easy to spoof. Is that the case?

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn

#9 jmercmon

jmercmon

    Member

  • Members
  • PipPip
  • 14 posts

Posted 27 August 2003 - 06:04 AM

Yes you can spoof this .. you can spoof anything if you tyry hard enough. I think the answer here is to put up as many stops as possible and hope it does not happen. We probably could find a hole in anything we setup.

Ways to stop trouble:
-Name your CF paypal IPN script with a name no one would guess ... you cannot hack what you cannot find.
-Use code in your script to stop execution when things don't look right .. there are various methods to do this I do not want to list them here as a would be hacker might see them.

In the end motiz88 has brought to light a very serious issue that need to be looked at. I for one will be adding some security measures to my IPN code but in the end nothing will ever be bullet proof.


#10 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 27 August 2003 - 10:04 AM

That's true to an extent but it's dangerous to become reliant on something as easily spoofed as remote host.

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users