Yahoo SQL Injection flaw allows Remote Code Execution and privileges escalation

  • 20 September 2014
  • 1 reply
  • 9 views

Userlevel 7
Badge +54
by Pierluigi Paganini on September 20th, 2014
 


 

The Egyptian hacker Ebrahim Hegazy has discovered a critical Yahoo SQL Injection flaw exploitable to Remote Code Execution and privilege escalation.

My readers know very well the Egyptian hacker Ebrahim Hegazy, he is a great security expert and a friend of mine, which disclosed numerous critical flaws in most popular web services, including Microsoft, Yahoo and Orange.
Last discovery of the cyber security expert is a SQL Injection in a Yahoo service that could be exploited by an attacker to Remote Code Execution and Escalated to Root Privilege on one of Yahoo servers.
As explained in his blog post, Ebrahim started his analysis from the domain: http://innovationjockeys.yahoo.net/, in particular while he was examining the HTTP POST requests he noticed something that could be exploited for SQL Injection attack:
 
Full Article
 

1 reply

Userlevel 7
This is a interesting article, what I can't understand is Yahoo has been aware of this bug and has done nothing about it?? Are they not concerned about the consequences of this exploit???

Reply