

PayPal Arbitrary Code Execution - danpalmer
http://packetstormsecurity.com/files/129081/VL-936.txt

======
samuirai
Am I stupid or is this guy calling a XSS "Arbitrary Code Execution"? It also
seems to be a self-xss (a XSS on his account profile, which only he can see).

How can you write so much text and be unclear about what you are doing? No
wonder Paypal didn't understand anything.

~~~
nowarninglabel
My understanding is that the author is saying they are able to do arbitrary
code execution on Paypal's servers (at least the ones hosting their help
center). If I understand correctly, one could upload executable code to
certain profile fields in one's developer account and then get their help
center to execute those.

I suppose the criticality of that would depend on what all was hosted on their
help center server as well as what other servers one could gain access to via
it.

------
MichaelGG
There must be something I'm not understanding. According to the timeline, this
was around a year and a half from reporting to fix? I find it hard to imagine
PayPal would let such a critical bug go unfixed in their services for so long
- it's a higher risk to them than to anyone.

Am I misunderstanding the impact?

~~~
yuhong
I think it is a typo.

~~~
timdorr
Even if the 2013's are 2014's, it took 5 and a half months from reporting to
fixing. That seems fairly terrible on PayPal's part.

------
Tepix
It was reported in early summer of 2013 and fixed in the fall of 2014? That’s
not very encouraging...

