The 'q' parameter in the 'search' page of South Asian Ebay domain (sea.ebay.com/search/?q=david&catidd=1) is found to be vulnerable to remote code execution.
The researcher cleverly managed to pass the 'q' parameter as array with a command that successfully got executed.
Proof of concept provided by the researcher prints the information about the PHP running on the server:
sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1
An attacker could have exploited this vulnerability to run OS commands and managed to compromise the entire server. However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.
He also discovered a SQL Injection vulnerability in the same domain last year.
The full technical details is available here.