Release date:
Updated on:
Affected Systems:
EBay Payflow SDK
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56446
Cve id: CVE-2012-5789
The eBay Payflow SDK is an online payment solution.
In versions earlier than PayPal Payments Standard PHP library 20120427, the server host name is not correctly verified to match the Domain Name of the CN or subjectAltName field of X.509 Certificate, and any valid certificate is used, the "FALSE" value is used to intentionally disable certificate verification checks. After successful exploitation, attackers can perform man-in-the-middle attacks to fool the SSL server.
<* Source: acm ccs 2012
Link: http://www.cs.utexas.edu /~ Shmat/shmat_ccs12.pdf
Http://secunia.com/advisories/51192/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
EBay
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Www.ebay.com