A security pen tester from Germany @secalert discovered remote code execution vulnerability on ebay website.
As per David Vieira-Kurtz blog , “I found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax. ”
David exploited the RCE flaw on ebay.com website and displayed output of phpinfo() PHP function on the web page by modifying the url and injecting code to the function.
Video regarding this vulnerability can be found here.
The researcher reported this vulnerability to ebay and this big has been fixed as per his blog