Yahoo Fixes RCE Flaw Leading to Root Server Access

  • 22 September 2014
  • 0 replies
  • 143 views

Userlevel 7
By Eduard Kovacs on September 22, 2014
 
A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company's servers.
The Egyptian security researcher Ebrahim Hegazy has analyzed the "innovationjockeys.yahoo.net" domain, which is used to host a contest whose goal is to find "India's most innovative minds across campuses." The researcher initially uncovered an SQL Injection vulnerability on one of the website's pages.
By exploiting this security hole, Hegazy managed to gain access to the site's databases, which included login credentials for an administration panel. The administrator password was encoded in Base64, but the researcher said he was able to decode it.
After identifying the administrator login page, hosted at "innovationjockeys.yahoo.net/admin," the expert accessed it using the username and password found in the site's database. Once he obtained access to the administration panel, Hegazy looked for a file upload page in an attempt to execute arbitrary code on the server.
He quickly identified the file upload page, but the PHP files he had uploaded were assigned a "xrds+xml" extension due to the fact that the "Content-Type" header had the value "application/xrds+xml”. By renaming the header in his request to "application/php", the researcher managed to get his PHP file onto the server.
 
SecurityWeek/ full article here/ http://www.securityweek.com/yahoo-fixes-rce-flaw-leading-root-server-access

0 replies

Be the first to reply!

Reply