Express Language(EL) Injection vulnerability in Paypal's subsidiary

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.

According to OWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, it allows attackers to execute arbitrary code on the server.

Researcher Malik said in his blog that Zong was running an outdated version of Clearspace(Now known as Jive software) on a subdomain.

"Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in his blog.

He found two forms in the site which are vulnerable to this bug. He was able to perform some arithmetic operations using the vulnerable field.

One of the vulnerable urls:
https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}

An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.

Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.

About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here: https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf