Flickr vulnerable to SQL Injection and Remote Code Execution Flaws

Flickr hacked, Flickr vulnerable to SQL Injection and Remote Code Execution Flaws, Flickr vulnerable, Flickr SQL injection, Flickr remote code execution, hackers area, security researcher, Flickr rewards, Flickr hacked, yahoo hacked, hacking yahoo products, security researcher, bug bounty products, Heat bleed vulnerability

Flickr vulnerable to SQL Injection and Remote Code Execution Flaws

Security researchers have found Heartbleed vulnerability that puts almost three-fourths (3/4) of the world's websites on a vulnerable side. After this Researchers from Detectify found a critical vulnerability in the Google products that leads to reading the 'etc/passwd' and 'etc/host' files of the Google Server

Now once again another biggest photo-sharing site Flickr  (owned by Yahoo. Inc) has suffered from severe vulnerability. Security researcher Ibrahim Raafat from Egypt has found the SQL injection vulnerability on the Flickr site.

Raafat claims that he has found two parameters ( page_id and items ) vulnerable to Blind SQL injection and one (Order_id) vulnerable to direct SQL injection. This vulnerability allows the attacker to read the Flickr database. Furthermore successful SQL exploitation can allow attackers to gain database and MYSQL login credentials, by injecting the SQL query.

Flickr hacked, Flickr vulnerable to SQL Injection and Remote Code Execution Flaws, Flickr vulnerable, Flickr SQL injection, Flickr remote code execution, hackers area, security researcher, Flickr  rewards, Flickr  hacked, yahoo hacked, hacking yahoo products, security researcher, bug bounty products, Heat bleed vulnerability


Furthermore, the Researcher explains that SQL injection vulnerability on Flickr allows the attacker to produce its attack to Remote Code Execution on the server, and using the load_file(“/etc/passwd“) function he successfully managed to read the content from the sensitive files on the Flickr server, as shown below:

Flickr hacked, Flickr vulnerable to SQL Injection and Remote Code Execution Flaws, Flickr vulnerable, Flickr SQL injection, Flickr remote code execution, hackers area, security researcher, Flickr  rewards, Flickr  hacked, yahoo hacked, hacking yahoo products, security researcher, bug bounty products, Heat bleed vulnerability


Raafat has also shown the Video demonstration that the vulnerability allows him to write new files on the server that let him upload a custom 'code execution shell'.

Read Also
Post a Comment