Today I will be talking about a “Unauthorized Admin Access” that led to “Remote Code Injection” on many domains of “Yahoo“, “Microsoft MSN“, And “Orange“.
Excited? Good, Now let’s dive into the details.
During my researches in #Yahoo Bug Bounty Program, I found myself in a Yahoo.net domain:
http://mx.horoscopo.yahoo.net/ymx/
I tried to find the admin panel for that domain name, so I found myself in below page:
http://mx.horoscopo.yahoo.net/ymx/editor/
The thing is, it dosent ask me for any login credentials!
Yes I just found myself in the admin panel without asking for a login credentials, this what is called “Unauthorized Admin Access AKA Indirect Object Reference“.
So, You see that list of files on the left side? I had an option to create a new “ASPX” file. I tried to intercept the POST request sent when trying to create a new file, So, here is what I got.
As you see, it’s a POST request to the below URL with below POST data:
http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx
POST: FileName=zigoo.aspx&FileContent=zigoo
Yes, You’ve only to provide the new created file name and whatever content you want to add!!
'취약점 정보1' 카테고리의 다른 글
| Microsoft Internet Explorer 8 CMarkup use-after-free vulnerability (0) | 2014.05.23 |
|---|---|
| Cisco ISE RADIUS Service 서비스 거부 취약점 보안업데이트 권고 (0) | 2014.05.23 |
| Microsoft Internet Explorer CMarkup Use-After-Free Remote Code Execution Vulnerability (0) | 2014.05.22 |
| About the security content of Safari 6.1.4 and Safari 7.0.4 (0) | 2014.05.22 |
| MS Internet Explorer 8 원격코드 실행 신규 취약점 주의 권고 (0) | 2014.05.22 |