Skip to content

PayPal Arbitriary File Upload Vulnerability To Remote Code Execution


I have tweeted 4 month ago about Remote Code Execution vulnerability that I have found in PayPal.

Screen Shot 2015-08-26 at 11.15.55 PM

Remember now ?? 🙂

I just got notified that the vulnerability has been fixed and I would like to share it with you. The vulnerability was a sneaky one, instead of writing a long article I decided to record it. You can watch the video on youtube:

I would really be very glad to hear your feedback.

Ibrahim (storm)

Published inwriteups


  1. Ahmed mahfouz Ahmed mahfouz

    Nice one man
    I like it when u noticed the action method in different routes
    Now i can imagine how he/she wrote this controller class

  2. Ebram Marzouk Ebram Marzouk

    Amazing Find 🙂

  3. i used to follow your posts since a long time .

    i know no one would share their findings . i just had hope in you .

    send me some advanced tutorials or your findings 🙂

    i need rce files ( like images with code in it ) . uploading it should excute code in it .

    hoping for your reply

    Hope you get it .

  4. yosef yosef

    great writeup thanks for it
    if i can ask how can i learn about the server side vulnerbiltes like rce how can some one find it i read about it in owasp and web application hacker hand book but i think i didnot get the enough knowledge about if you can suggest any resource

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × five =