eBay fixes critical security holes


The online auction site eBay has closed two vulnerabilities on its U.S. site. In one of the two is a critical SQL injection vulnerability in the vendor area, through which one could read and write access to a database of the company. By a SQL injection vulnerability to inject database commands via insufficiently filtered HTTP parameters is possible.



Discovered the vulnerability of the security researcher David Vieira-Kurz, eBay then informed confidentially of the security problem. According to the researcher, the company responded rather quickly and closed the gap to 20 days. That could be accessed through the gap on the data of eBay users, the researcher has not tried, as he explained to heise Security.

In the second gap, it was a cross-site scripting hole through which you could place JavaScript code on the eBay server, which was then executed when a specific URL. An attacker could exploit this to about to steal credentials from eBay users. The vulnerability has been publicly documented for the first time a half weeks ago. Last Thursday was the company told The Register that the vulnerability was fixed.

No comments:

Post a Comment