<<< Date Index >>>     <<< Thread Index >>>

Portcullis Security Advisory 05-012 Ebay Session Riding Vulnerability

Portcullis Security Advisory

Original Bugtraq posting 08 April 2005, Resend 19 April 2005.

Vulnerable System: 

This vulnerability affects EBay the auction websites.  

Vulnerability Title: 

Session Riding/Cross Site Request Forgery Attack.

Vulnerability discovery and development: 

This issue was conceived by James Fisher having read the paper "Session
Riding"[1] which was posted to the web application security mailing list
15th December 2005. The issue was further researched and developed to
the point of Proof of Concept by Dave Armstrong with additional input
from Martin Murfitt. 

Successful exploitation of this issue allows malicious users to list an
item for auction in such a way that any subsequent user who views the
item automatically places a bid for that item with the value being bid
under the control of the malicious user. This does however require that
the user who views the item has logged into eBay.

Affected systems: 

This issue affects the eBay auction web sites.  


All that is required to expose this issue is placing an item listing for
auction on eBay and adding a link to an off-site image.  This link in
reality would point to a CGI script that instead of returning an image
returns a (HTTP 302) redirect response, referring the user back to the
eBay URL to automatically submit a bid.  

An example of a typical URL:

[ITEM ID]&maxbid=%A3[BID]&quant=1&javascriptenabled=1&mode=1
Users viewing the page that have not logged in simply receive a broken
image, while logged in users silently place a bid on the item. They will
remain unaware they have taken this action until the confirmation email
is received or the user either refreshes the item or otherwise checks
the items they have bid upon. This issue has not been tested with the
"Buy Now" functionality.

Additionally, although the EBay site normally uses a POST request with
what appear to be session specific values to submit bids, it was
discovered that removing these session values and changing the method to
GET still generated a valid request that was accepted by the server.


Items placed for auction can be controlled to the point of placing
incremental bids, (value at the attackers discretion) without the users
consent. This does however pose a minimal risk, as users are informed
via email of their bid. 


Portcullis have working POC code for this issue, however, this will not
be published within this advisory until eBay has resolved the issue.  

Vendor Notified:

EBay were notified first on 22 December 2004 via email to the support
mail address and other standard email addresses such as postmaster,
security, issues, bugs, abuse etc. The standard web contact form was
completed and sent on 23 December 2004. Further emails were sent during
January 2005, February 2005 and March 2005. 

Vendor Response:

No response has been received.


[1] http://www.securenet.de/papers/Session_Riding.pdf

Copyright (c) Portcullis Computer Security Limited 2005, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation. 
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.