While participating in the Yahoo Bug Bounty program, Hegazy has found a “Unauthorized Admin Access” Vulnerability in one of Yahoo domains “mx.horoscopo.yahoo.net.”, that vulnerability led him to find “Remote Code Injection” Vulnerability where he can create ASPX files on the server, Remote Code Injection Vulnerabilities allow attackers to create files with the ability to run system commands on the vulnerable servers, also to edit the files and read data from Databases hosted on the vulnerable server.
Once he identified the remote code injection vulnerability, he attempted to determine if other Yahoo subdomains were affected. Much to his surprise, he found that also subdomains of Microsoft’s MSN and French telecoms company Orange is Vulnerable to the same Vulnerability.
The affected subdomains were for horoscopes and astrology service and below is the list of the vulnerable domains:
“The shocking thing here is that I don’t have to upload/create my page on every domain to make a good POC! Because once I created that page on one of the Yahoo domains mentioned above, I found that my page has been created on ALL SITES hosted on the same server, Yahoo, MSN, Orange and others,” Researcher noted.
“Imagine a Black-Hat with this vulnerability, creating his ‘Iframed’ aspx page with its malicious content on such highly ranked/trusted domains of Yahoo.net MSN.com Orange.es and more!!” he adds.
Hegazy posted below video as a Proof Of Concept for the Vulnerability:
He reported the found vulnerability to Microsoft and they fixed the vulnerability without appropriate reward to his report, same thing with Orange, But Yahoo has rewarded the researcher for his report despite that vulnerabilities in Yahoo.net is out of the scope for Yahoo bug bounty Program.
For additional technical details on these vulnerabilities, visit Hegazy’s blog post.
(Security Affairs – hacking, remote code injection)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.