This article is more than 1 year old
Phishing gone: eBay patches to block session-jacking Magento holes
XSS, CRSF, and input holes fixed
Vulnerability Lab researcher Hadji Samir says eBay has squashed three vulnerabilities in its Magento shopping platform that could permit session hijacking and man-in-the-middle attacks.
The penetration tester disclosed this month the vulnerabilities along with proof-of-concept videos showing how attackers could steal session data and phish users.
Samir says the holes include a persistent input validation web vulnerabiility, a cross-site scripting (XSS) hole, and a cross-site request forgery (CSRF) bug.
"The [inject] vulnerability allows remote attackers to inject own script code to the application-side of the affected service module ... successful exploitation of the application-side vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation affected or connected module context," Samir says.
"Remote [XSS] attackers are able to inject own script codes to client-side application requests.
"The [CSRF] attacker can for example intercept the session to delete all existing messages."
Samir says the three vulnerabilities ranked as medium flaws attracting a security score averaging three.
He notes that the CSRF hole in phpbb was disclosed "some years ago".
Each was disclosed in March under the online tat bazaar's bug bounty program which paid out undisclosed monetary rewards and patched last month. ®