During my latest bug hunting on subdomains of eBay I found an exploitable SQL injection which I prompt reported to eBays security team.
After my initial contact it took 20 days until they finally fixed the SQL injection issue.
Ebay sent me a highend computer mouse with cool features as gift for my responsible and coordinated disclosure.
The vulnerable page was located at http://sea.ebay.com/news.php and the “checkbox” array POST parameter was prone to sql injection.
During the research I found that everytime one put some SQL statements there it will show you a common SQL errormessage which tells that
the syntax is wrong.
For example when I supplied:
the webserver responsed with the message: “Unknown system variable ‘secalert’ ” which indicates that user-supplied values are used as statements within the
legitimate SQL query.
But if I supplied a correct syntax I got no results from the webserver.
So I thought on create a subquery using a nested SELECT statement which would then give me some results when the syntax of the main SELECT
statement is incorrect.
So here we go in the next step:
This time the webserver response contained the name uf the current DBMS user as you may see in the following screenshot.
Finally eBay mitigated this issue by using “prepared Statements” to prevent user-supplied values being part of the original SQL query.
October, 30th 2012: Vulnerability found and reported to eBay (firstname.lastname@example.org)
November, 05th 2012: Vulnerability reported to eBay once again
November, 05th 2012: Ebay confirms the presence of the SQL injection
November, 16th 2012: Ebay replied that the SQL Injection is now fixed and they want to send me a little gift
November, 18th 2012: I've published this blog post
December, 15th 2012: I've received an optical computer mouse coming from ebay security team