6 - VU#705004

Executive Summary

Summary
Title	NETELLER Direct Payment API is not vulnerable to reported parameter manipulation

Informations
Name	VU#705004	First vendor Publication	2013-09-23
Vendor	VU-CERT	Last vendor Modification	2013-10-07
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score	6	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#705004

NETELLER Direct Payment API is not vulnerable to reported parameter manipulation

Original Release date: 23 Sep 2013 | Last revised: 07 Oct 2013

Overview

NETELLER Direct Payment API version 4.1.6 and possibly earlier versions were reported to be vulnerable to parameter manipulation via a modified HTTP POST request. After further analysis and discussion with NETELLER, this report was found to be incorrect. The NETELLER Direct Payment API is not vulnerable to the reported parameter manipulation.

Description

NETELLER Direct Payment API version 4.1.6 was reported to be vulnerable to parameter manipulation through a modified HTTP POST request and URL redirection, which would allow a malicious user to purchase items without paying the merchant for them. After further analysis and discussion with NETELLER, the initial report was found to be incorrect. NETELLER Direct Payment API is not vulnerable to this attack.

During a NETELLER Direct Payment API purchase transaction, the purchaser provides their NETELLER account number and PIN to the merchant, who then communicates with NETELLER to complete the transaction. The merchant could use the account number and PIN to make fraudulent transactions against the purchaser's account. Presumably, fraudulent transactions would be noticed by the purchaser and subject to investigation and possible termination of the merchant's account by NETELLER.

This reported vulnerability would have been an example of CWE-602: Client-Side Enforcement of Server-Side Security.

CVE-2013-3611 was originally assigned to this vulnerability.

Impact

As with most, if not all electronic payment systems, the purchaser needs to trust other parties with sensitive account and identity information. In this case, the merchant may be able to make fraudulent purchases against the purchaser's NETELLER account.

Solution

NETELLER recommends following the Direct Payment API Integration documentation.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
NETELLER	Not Affected	21 Aug 2013	03 Oct 2013

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	0.0	AV:N/AC:M/Au:S/C:N/I:N/A:N
Temporal	0.0	E:POC/RL:ND/RC:C
Environmental	0.0	CDP:N/TD:N/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/602.html
http://www.neteller.com/
https://merchant.neteller.com/documents/NETELLER_Direct_v4.1.3_API_Documentation.pdf

Credit

Thanks to the reporter that wishes to remain anonymous.

This document was written by Adam Rauf.

Other Information

CVE IDs:CVE-2013-3611
Date Public:23 Sep 2013
Date First Published:23 Sep 2013
Date Last Updated:07 Oct 2013
Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/705004

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-02-11 08:49:24	Multiple Updates
2016-02-09 11:36:05	Multiple Updates
2013-10-11 13:31:47	Multiple Updates
2013-10-08 00:19:05	Multiple Updates
2013-10-05 00:19:45	Multiple Updates
2013-09-24 21:23:26	Multiple Updates
2013-09-24 17:22:56	Multiple Updates
2013-09-23 21:18:45	First insertion