Skip to content ↓ | Skip to navigation ↓

German researcher and penetration tester David Vieira-Kurz has documented a remote code execution vulnerability in eBay’s website as a result of a type-cast issue in combination with complex curly syntax.

“The vulnerable subdomain was the same where I found an exploitable SQL injection last year which is located at,” Vieira-Kurz wrote. “One of the very first tests I perform against php web applications is to look for type-cast issues because php is known to cause problems when the value of a param is expected to be string but an array was supplied as user-input instead. So obviously my next step was to perform the above request with arrays this time.”

Vieira-Kurz was working under the assumption that the eBay PHP-based interface employed preg_replace() for filtering “bad words” prior to doing some eval() on return values.

“So what happens here could be that they are trying to enforce that user-supplied values are always form string type. That means if it’s not a string they try to make a string out of it, i.e. they try to cast the values of the array into a string before doing the string-comparison for the list containing bad words,” Vieira-Kurz concluded.

He proceeded to submit an array with two indices that contained arbitrary values, one of which was in complex curly syntax designed to “trick the parser,” a supposition that was confirmed after submitting two more similar requests.

“That was enough to prove the existence of this vulnerability to eBay security team and I don’t wanted to cause any harm. What could an evil hacker have done? He could for example investigate further and also try things like {${`ls -al`}} or other OS commands and would have managed to compromise the whole webserver,” Vieira-Kurz explained.

Vieira-Kurz released a proof-of-concept video detailing the exploit of the vulnerability.

Read More Here…