Paypal has closed a remote code execution vulnerability some 18 months after it was reported.
The flaws reported earlier this month rated critical by Vulnerability Lab affected a core Paypal profile application.
"A system specific arbitrary code execution vulnerability has been discovered in the official in the official PayPal Inc Web-Application and API," founder and researcher Benjamin Kunz Mejr wrote in a disclosure.
"Successful exploitation of the vulnerability results in unauthorized execution of system specific codes, webshell injects via POST method, unauthorized path/file value requests to compromise the application or the connected module components."
"The system specific arbitrary code execution vulnerability is located in the developer API portal with connection and account access to the Paypal portal API."
Kunz Mejr also found a filter bypass and persistent bug during his penetration test in the same vulnerable parameter location.
He said attackers with an user account in hand could load script and remotely execute arbitrary code to access local web-server files and configurations.
Exploitation of the system specific code execution vulnerability required only a low privileged Paypal account with restricted access and did not need user interaction.
Attackers could include a frame with a local request through trusted context to capture unauthorised system data and could deploy webshell injects could during the execution point of the Paypal users profile, he said.
"The attack vector is on the application-side of the Paypal service and the injection request method is POST (dev API and Help Center). The security risk of the local command/path inject vulnerability is estimated as medium with a CVSS count of 9.1."
Paypal was notified in April 2013 and engaged in feedback until a patch was issued 25 October this year and an unspecified reward issued through eBay's bug bounty program.
The bug was the second recently disclosed by Vulnerability Lab in Paypal. Researcher Ateeq Khan reported a medium severity flaw in Paypal's shipping service that could allow an attacker to inject malicious code into a form to target users. ®
Update: PayPal has contacted The Reg to dispute Vulnerability Labs' version of events. In a canned statement, PayPal says "When we received a report from Vulnerability Labs about the remote code execution hole, we investigated this issue thoroughly. Our engineers found this was not a valid vulnerability and this was communicated to Vulnerability Labs. No reward was ever paid for this issue by the PayPal Bug Bounty program."