Security researcher Behrouz Sadeghipour has identified a number of vulnerabilities on a Hong Kong subdomain of Yahoo (hk.yahoo.net). Fortunately, Yahoo has rushed to address the security holes reported by the expert.
According to Sadeghipour, he came across the vulnerabilities while analyzing a cross-site scripting (XSS) issue. While looking at the HTTP headers, he came across an administrator login page for the hk.yahoo.net domain.
He simply tried to log in with the “admin” username and “admin” password and it worked. Once he gained access to the administrator panel, he found a page where he could upload images.
There was an upload restriction, but the expert managed to bypass it by naming his file shell.php.jpg. Once the file was uploaded, he simply renamed it to shell.php.
“I had read/write/execute permissions in /home which contains few more subdomains and website. Also, Linux kernel is VERY old and is a rootable. Not to mention I was able to read most DIRs and Files but NOT including /etc/shadow),” the researcher explained in a blog post.
The vulnerability was reported to Yahoo on February 20 and it was patched the next day. However, so far, the company hasn’t rewarded Sadeghipour for his findings.
For additional details on these Yahoo vulnerabilities, check out the video proof-of-concept and the expert’s blog.