I want to share my finding on a recent issue I found in a subdomain of BillMeLater.com (a Paypal service).

On 1st March, during my regular course of bug hunting in Paypal services, I found a file uploading issue that allowed me to upload files of certain extensions on the BillMeLater server.

Initially I noticed the website was running an outdated version of DotNetNuke (an ASP.NET based CMS) with the file uploader enabled. Allowed extensions were:

*. docx, *.xlsx, *.pptx, *.swf, *.jpg, *.jpeg, *.jpe, *.gif, *.bmp, *.png, *.doc, *.xls, *.ppt, *.pdf, *.txt, *.xml, *.xsl, *.css, *.zip, *.spin

So for testing purpose I uploaded a file on the server with some text content:

I even tried to upload an ASP-shell within the restrictions but It didn’t work on the server :( . If it had run then I could have got the possibility of command execution on the server.

Anyway, I reported the issue to Paypal Security Team, they addressed this issue quickly.