Yahoo Authentication Bypass with Add/Edit/Upload + Full Path Disclosure + MySQL Credentials

Hello,
This write-up will cover how I bypassed one of Yahoo’s log-in pages with a sample trick. Even though I had decided to not write anything about this report (since it was out of scope), but a few people wanted to see the trick and I thought It would be a great thing to share with everyone else. (So please don’t bother to mention it’s out of scope and carry on with the post)

Yahoo SQL Injection!

Hello everyone,

After my LFI and RCE reports I decided to focus on another type of attack. After reading Jordan Milne’s report on HK promotions, he pointed “It’s a good place to look because it has lots of PHP scripts and Flash, it looks like it wasn’t done by Yahoo’s core devs, and most auditors aren’t looking there since its content is mostly in Chinese”. Indeed! So I decided to expand on these domains and started to poke around the following URL and was able to make 5 different reports with 8 vulnerable files.

Yahoo Remote Command Execution via Admin/Upload Bypass

Hello Everyone, Recently I was analyzing an XSS vulnerability on one of Yahoo’s Subdomains where I decided to also analyze the HTTP Headers. While doing so I came across the admin login page on (hk.yahoo.net), due to the fact that the search was being posted to search module from the admin panel.  Well that’s not the best part!