A critical web application vulnerability 'SQL injection' impact one of the domains of Yahoo Inc., which leads the attacker to gain the database and further exploit it to Remote Code Execution.
A Egyptian security researcher Ebrahim Hegazy have found a critical SQL injection vulnerability in Yahoo's domain that allows an attacker to remotely execute any commands on its server with Root Privileges.
Hegazy explained on the blogpost that started his analysis from the domain: http://innovationjockeys.yahoo.net/, in particular while he was examining the HTTP POST requests he noticed something that could be exploited for SQL Injection attack. On the above URL he found parameter “f_id” was vulnerable to SQL injection, and attacker can easily manipulate the parameter to which can be exploited to extract database from the server.
After the successful injecting the query he able to read the Admin username and password from admin table of the database. The password was encoded with Base64 and can easily decode. After the decode of the password, he successfully logged into the admin panel of Yahoo.
With that he further continue to exploit the vulnerability to Remote Code Execution. Admin panel allows him to upload files on the server but after uploading a file with “phpinfo();” function as a content, he found that the uploaded file was named in “.xrds+xml” instead of being in “.php”
He fond that the issue was in the “Content-Type” Header!, so in second attempt he make some edit on content header and rename the “Content-Type” Header to be “application/php”, and finally this works, which allow to execute the PHP code on the target server successfully i.e. Remote Code Execution.
A Egyptian security researcher Ebrahim Hegazy have found a critical SQL injection vulnerability in Yahoo's domain that allows an attacker to remotely execute any commands on its server with Root Privileges.
Hegazy explained on the blogpost that started his analysis from the domain: http://innovationjockeys.yahoo.net/, in particular while he was examining the HTTP POST requests he noticed something that could be exploited for SQL Injection attack. On the above URL he found parameter “f_id” was vulnerable to SQL injection, and attacker can easily manipulate the parameter to which can be exploited to extract database from the server.
After the successful injecting the query he able to read the Admin username and password from admin table of the database. The password was encoded with Base64 and can easily decode. After the decode of the password, he successfully logged into the admin panel of Yahoo.
With that he further continue to exploit the vulnerability to Remote Code Execution. Admin panel allows him to upload files on the server but after uploading a file with “phpinfo();” function as a content, he found that the uploaded file was named in “.xrds+xml” instead of being in “.php”
Hegazy found that the server kernal version was too old which gave him a plus point to exploit it and successful gained root access on the server.
Hegazy reported the vulnerability to Yahoo security team, and the vulnerability was fixed within a day. But unfortunately he didn't got any reward or bounty for his findings and the vulnerability resides on the domain was out of scope of bug bounty program.
This is not the first time that Hegazy found a critical security vulnerability on Yahoo. Earlier also he had found the Remote Code Execution on Yahoo. And along with that he found more critical vulnerability on Google, Orange Microsoft.