User privilege escalation exploit.

["No Sue Please" <sunos5.8 () hotmail com>]

Vendor:  CyberSource
Version: Business Center, Essentials/Small Business, 
https://businesscenter.cybersource.com/

Severity: Vulnerability allows malicious employees or comprimised accounts 
to steal money.

Vendor Status: Notified, expects to fix issue some time in 2006.

Overview: Business Center is the web application used by merchants to 
authorize, capture, and refund
Credit Card transactions.  This application has the ability for merchants to 
define user accounts
that are given limited privileges on what operations they can perform on a 
transaction.

There does not appear to be validation on user-controlled input as found by 
the two ways to
bypass user privilege restrictions.

Unfortunately it was found that through simple URL manipulation it is 
possible to bypass these security
restrictions to allow a user to create new transactions and search for and 
view previous transactions.
The latter would allow an untrusted user to view customer information.

Issuing new Credit transactions and capturing (moving customer money to 
merchant account) can be done
by creating a local copy of web pages from the site and modifying the HTML 
<form> submission target and content.  A user then
simply has to login, access the locally modified page and submit the form 
which then blindly sends the transaction to the server.

In theory then an unprivileged account would be able to generate a number of 
fraudulent transactions onto existing customers
and then move money from the merchant's account after capture to their own 
credit card or an accomplice's.  This includes
forcing through transactions that do not have correct Card Verification 
Numbers.


Details:
Demo account is free to create and can be done at 
http://www.cybersource.com/bankofamerica/eval/.
Test server is identical to Production with the exception that the Credit 
Card Authorizer and capturing does not contact
the card owners banks for verification.

After creating an account with only the AO privilege (allows user to create 
new Authorizations only) login under this account.

Accessing Order Search or Reports
The first level of *security* uses the security through obscurity method to 
prevent user from accessing the Order Search by preventing
the URL information from being sent to the user.  The menu on the interface 
does not have the button but fortunately the URL's use
a standard naming convention in the JSP's.
1) Copy the URL from the Virtual Terminal button, this will be 
https://businesscentertest.cybersource.com/sbctest/landing/terminal.jsp
2) Paste URL into address bar and change terminal.jsp to search.jsp, or 
similarly to reports.jsp
3) The associated jsp is loaded and usable.


Capturing and Crediting a transaction is not vulnerable to simply URL 
manipulation but are vulnerable to HTTP Post injections.
When creating a new transaction it is possible to save the web page locally 
and then modify the source
(sbc_index.jsp_files\home_data\VTSettingsLoad.htm) to prefix the form's 
target with https://businesscentertest.cybersource.com so that submission
will be sent to the server instead of localhost.

Adding the HTML option <option value="Credit">Credit</option> to the HTML 
<select name='transactionType'> allows a Credit transaction
to be selectable for creation.

Confirming the transaction causes this crafted POST form to be sent to the 
server and a confirmation of information is presented to the user
to confirm the transaction.

Recommendation:
Do not use user accounts until next year when vendor has said the problem 
will be fixed.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/