Single RCE Vulnerability affects Yahoo, Microsoft and Orange
bug bounty program of Yahoo, reported REC vulnerability to Yahoo, yahoo hacked, yahoo vulnerability, Vulnerability on Yahoo, hack Microsoft, Bug Bounty Program, Microsoft didn't pay bounty rewards, Yahoo bouty rewards, hacking yahoo accounts, hacked yahoo and Microosft, yahoo and microsoft and Orange
Ebrahim is on the hunt for security loop holes in yahoo domain and one of the sub-domain allows him to upload .aspx files which leads to hack Microsoft and Orange too.
For test Ebrahim have uploaded a file called 'zigoo.aspx' with 'zigoo' as content. After the checking he found the below sites on the same server..
#Yahoo:Interesting thing he got on this vulnerability is that the page created in Yahoo domain reflected in other domains also. Ebrahim had explain the reason for this hack as follows,
http://pe.horoscopo.yahoo.net , http://mx.horoscopo.yahoo.net , http://ar.horoscopo.yahoo.net
http://co.horoscopo.yahoo.net , http://cl.horoscopo.yahoo.net , http://espanol.horoscopo.yahoo.net
#Microsoft MSN:
http://astrocentro.latino.msn.com/ , http://astrologia.latino.msn.com/ , http://horoscopo.es.msn.com/
http://horoscopos.prodigy.msn.com
#Orange:
http://astrocentro.mujer.orange.es
"It’s A CDN(Content Delivery Network) Service for astrology that cashes the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server."For the POC researcher have made a video demonstration of the vulnerability.
This is not the first time that Ebrahim had discovered RCE vulnerability on Yahoo. Earlier, this year he had reported REC vulnerability to Yahoo.
Join the conversation