Yahoo Authentication Bypass with Add/Edit/Upload + Full Path Disclosure + MySQL Credentials

Hello,
This write-up will cover how I bypassed one of Yahoo’s log-in pages with a sample trick. Even though I had decided to not write anything about this report (since it was out of scope), but a few people wanted to see the trick and I thought It would be a great thing to share with everyone else. (So please don’t bother to mention it’s out of scope and carry on with the post)

Let’s have a look at what caught my attention in the first place that led on to the attack:

Which took me to the following URL:

However, by clicking on any of the following links I would be redirected to a login page that kind of looks like this:

First step I took was to run curl and see if I am able to see the content of the files on my own server so:

curl http://tw.urcosme.fashion.yahoo.net/justbeauty/Vol/22/edit > u2.html

Now that I know I am able to see the content I decided to switch to firefox and fire-up the good ol’ NoRedirect:

WE ARE IN. Here are a couple things I was able to do:
Add new content:

Edit:

and I was also able to upload a file which you will be able to see here:

I was able to get the full path and MySQL credentials by messing around with POST. There was also a possible SQLi via POST in the following admin panel which I wasn’t able to exploit due to the fact that I found the bug after the initial report.

Timeline:
2014/04/18 – Reported
2014/04/18 – Triaged
2014/04/18 – Requested more information
2014/04/21 – Closed

This post has been viewed [post_view] times

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>