User privilege escalation exploit.

[sunos5.8 () hotmail com]

Vendor:  CyberSource
Version: Business Center, Essentials/Small 
Business, https://businesscenter.cybersource.com/

Severity: Vulnerability allows malicious employees or comprimised accounts to steal money.

Vendor Status: Notified, but expects to fix issue some time in 2006.

Overview: Business Center is the web application used by merchants to authorize, capture, and refund
Credit Card transactions.  This application has the ability for merchants to define user accounts
that are given limited privileges on what operations they can perform on a transaction.

There does not appear to be validation on user-controlled input as found by the two ways to
bypass user privilege restrictions.

Unfortunately it was found that through simple URL manipulation it is possible to bypass these security
restrictions to allow a user to create new transactions and search for and view previous transactions.
The latter would allow an untrusted user to view customer information.

Issuing new Credit transactions and capturing (moving customer money to merchant account) can be done
by creating a local copy of web pages from the site and modifying the HTML <form> submission target and content.  A 
user then
simply has to login, access the locally modified page and submit the form which then blindly sends the transaction to 
the server.

In theory then an unprivileged account would be able to generate a number of fraudulent transactions onto existing 
customers
and then move money from the merchant's account after capture to their own credit card or an accomplice's.  This 
includes
forcing through transactions that do not have correct Card Verification Numbers.


Details:
Demo account is free to create and can be done at http://www.cybersource.com/bankofamerica/eval/.
Test server is identical to Production with the exception that the Credit Card Authorizer and capturing does not contact
the card owners banks for verification.

After creating an account with only the AO privilege (allows user to create new Authorizations only) login under this 
account.

Accessing Order Search or Reports
The first level of *security* uses the security through obscurity method to prevent user from accessing the Order 
Search by preventing
the URL information from being sent to the user.  The menu on the interface does not have the button but fortunately 
the URL's use
a standard naming convention in the JSP's.
1) Copy the URL from the Virtual Terminal button, this will be 
https://businesscentertest.cybersource.com/sbctest/landing/terminal.jsp
2) Paste URL into address bar and change terminal.jsp to search.jsp, or similarly to reports.jsp
3) The associated jsp is loaded and usable.


Capturing and Crediting a transaction is not vulnerable to simply URL manipulation but are vulnerable to HTTP Post 
injections.
When creating a new transaction it is possible to save the web page locally and then modify the source
(sbc_index.jsp_files\home_data\VTSettingsLoad.htm) to prefix the form's target with 
https://businesscentertest.cybersource.com so that submission
will be sent to the server instead of localhost.

Adding the HTML option <option value="Credit">Credit</option> to the HTML <select name='transactionType'> allows a 
Credit transaction
to be selectable for creation.

Confirming the transaction causes this crafted POST form to be sent to the server and a confirmation of information is 
presented to the user
to confirm the transaction.

Recommendation:
Do not use user accounts until next year when vendor has said the problem will be fixed.