Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub Domain

Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub DomainEBay has been facing litigations in United States and Europe over the cyber breach of its computer systems. These investigations would analyse whether EBay has failed or not to adhere to proper cyber security practices and disclosure norms. Meanwhile, EBay is planning to boost the cyber security of its systems and this effort seems to be working.

Recently the IT security expert Joshua Rogers discovered SQL Injection vulnerability on eBay.com.au sub domain. Whilst looking for some bugs in EBay, he came across the domain http://3.ebay.com.au/. It appeared to be a domain for phone users on the old “Three” phone carrier/network that has been bought out by Vodafone awhile ago.

On the third tab of the page, there was a link to the “Categories section”. This is a list of categories as to where you can view items to buy or as was in this case, go into a sub-category. Joshua noticed that there were a few $_GET parameters being used. He just put a simple apostrophe into the end of the first parameter, “emv_CatParent”.
To his amazement, it came back with a half-completed page (Pretty much the poster-child of a blind SQL Injection).

He faced some trouble during his exploration as the Microsoft SQL Server was being used for the backend, not a unix-based one. He loaded the website into sqlmap and did everything through there. First, he scanned the parameter to see if my assumption was right. He found that 1 to 10 columns were injectable. He also found that the “Microsoft SQL Server/Sybase stacked queries” were also injectable. This meant possible file write/read and he did not look further into this research.

He intimated about this vulnerability to Ebay that was grateful to him for exposing this vulnerability. Very soon EBay patched the vulnerability and publicly acknowledged the efforts of Joshua. This is best step that Ebay team has done after the recent cyber breach.

This entry was posted in Uncategorized. Bookmark the permalink.