I have recently reported a Directory Traversal to Yahoo! that I’d like to share with everyone. As I was roaming around the health.yahoo.com website (which redirects to health.yahoo.net). I came across the following link:
Of course, the first thing I did was to just simply remove the html file out of the url and see what I get:
and sure enough I was able to see the file directory:
I also tried to read the passwd file located in etc:
and I was successful:
According to a good friend of mine, I could and should have done the following to get a Remote Command Execution:
An attacker may be able to inject the following code by sending a get request such as
<? passthru($_GET[command]) ?>
and inject that into the log file to use as a backdoor
But I didn’t think about the following, nor to record my PoC due to all the adrenaline I was feeling when I discovered this vulnerability.
Thank you for reading!
2014-02-10 Status changed to triaged