Security researcher Ebrahim Hegazy found a vulnerability that allowed injection remote code in its subdomains YahooOf Microsoft and Orange. Fortunately, the security gap has already been determined by company technicians.
The expert discovered the flaw by analyzing one subdomains της Yahoo στο Μεξικό (το mx.horoscopo.yahoo.net). Στο συγκεκριμένο subdomain εντοπίστηκε ένα διαχειριστικό πανελ που θα μπορούσε να προσεγγιστεί χωρίς διαπιστευτήρια σύνδεσης. Ο ερευνητής αποκάλεσε την ευπάθεια αυτή “μη εξουσιοδοτημένη πρόσβαση Διαχειριστή” ή “Εμεσο αντικείμενο αναφοράς” (Unauthorized Admin Access or Indirect Object Reference)
From this open panel, Hegazy managed to upload his own aspx file to the server. These files could comfortably contain code that would allow an attacker to execute arbitrary code, experts say in his blog. However, the file was loaded for research purposes and contained only a single string.
After identifying the vulnerability, he tried to examine other Yahoo sybdomains. To his surprise, he discovered that the vulnerability not only existed in not only Yahoo's subdomains, but also Microsoft's MSN subdomains as well as the French company of Orange telecommunications.
“The shocking thing is that I did not upload / create my page in each domain to make a good POC! I just created this page in one of the domains (pe.horoscopo.yahoo.net, ar.horoscopo.yahoo.net, co.horoscopo.yahoo.net, cl.horoscopo.yahoo.net, astrocentro.latino.msn.com , astrologia.latino.msn.com, horoscopo.es.msn.com, horoscopos.prodigy.msn.com, and astrocentro.mujer.orange.es) by Yahoo, I discovered that my page has been created on all sites that are hosted on the same server, Yahoo, MSN, Orange and others, ”says the researcher.
"Imagine using this vulnerability black hat hackers, creating an "Iframed" aspx page with malicious content on such high-profile domains as Yahoo.net, MSN.com and Orange.es."
The researcher reported his findings at Microsoft, Yahoo and Orange. Orange has not responded to the announcement, while Yahoo has decided to reward the expert.
For more technical details on vulnerability, visit Hegazy's website.
