PayPal’s Partner Program website (paypal-marketing.com) was plagued by a vulnerability that could have been exploited for remote code execution.
The security hole was identified by Milan Solanki, a member of Germany-based Vulnerability Lab. According to an advisory published by the security firm, the bug discovered by the expert is related to the Java Debug Wire Protocol (JDWP), the protocol used for communication between a debugger and the Java virtual machine which it debugs.
IOActive researchers showed in April 2014 that the JDWP service can be abused for reliable remote code execution. IOActive also released jdwp-shellifier, a tool designed to help penetration testers achieve remote code execution on the JDWP service.
Using IOActive’s tool, Solanki connected to the PayPal partner site on port 8000. Once connected, the expert said he was able to execute server-side commands with root privileges. The researcher published a video to demonstrate his findings.
Vulnerability Lab told SecurityWeek that PayPal awarded the researcher $1,500, the maximum bounty for security bugs found in partner websites.
“The security community’s contributions to PayPal’s Bug Bounty Program are what makes the program valuable and successful. Participants are rewarded based on the classification, security issue and overall vulnerability determined by PayPal’s security engineers,” PayPal told SecurityWeek. “We take remote code execution (RCE) vulnerabilities very seriously, and reward up to $1,500 for those found on partner sites. Sensitive information is not stored on these partner sites.”
According to PayPal, the bug found by Solanki was fixed within 48 hours. The company says it hasn’t found any evidence of unauthorized access or compromise to the server data.
This isn’t the only PayPal vulnerability identified by Solanki. Last month, the researcher reported uncovering a cross-site scripting (XSS) flaw for which the online payments system awarded him $750.
Details on the rewards offered by PayPal and instructions on submitting bugs can be found on the company’s Bug Bounty page.