Security researchers have found
Heartbleed vulnerability that puts almost three-fourths (3/4) of the world's websites on a vulnerable side. After this Researchers from Detectify found a
critical vulnerability in the Google products that leads to reading the 'etc/passwd' and 'etc/host' files of the Google Server
Now once again another biggest photo-sharing site Flickr (owned by Yahoo. Inc) has suffered from severe vulnerability. Security researcher Ibrahim Raafat from Egypt has found the SQL injection vulnerability on the Flickr site.
Raafat claims that he has found two parameters ( page_id and items ) vulnerable to Blind SQL injection and one (Order_id) vulnerable to direct SQL injection. This vulnerability allows the attacker to read the Flickr database. Furthermore successful SQL exploitation can allow attackers to gain database and MYSQL login credentials, by injecting the SQL query.
Furthermore, the Researcher explains that SQL injection vulnerability on Flickr allows the attacker to produce its attack to Remote Code Execution on the server, and using the load_file(“/etc/passwd“) function he successfully managed to read the content from the sensitive files on the Flickr server, as shown below:
Raafat has also shown the Video demonstration that the vulnerability allows him to write new files on the server that let him upload a custom 'code execution shell'.
