Jump to content
begood

Yahoo! Local Hacked

By begood, in Stiri securitate

Recommended Posts

begood Newbie

begood

Posted
Posted

Ghiciti cine ? "Unu" :)

A greyhat hacker has discovered a critical SQL injection vulnerability in Yahoo! Local Neighbors discussion board website. The flaw can be used to read information about administrative and user accounts or upload a shell on the server.

Neighbors is a Yahoo! Local feature launched at the end of 2007 with the purpose of providing a place for people to exchange information about events happening in their local communities and other useful info. Yahoo! describes the site as a "practical discussion board for any topic - from neighborhood safety to contractor recommendations."

The hacker who discovered the vulnerability goes by the online nickname of "Unu" and had previously uncovered similar vulnerabilities in other high profile websites. He notes that despite finding SQL injection and cross-site scripting (XSS) vulnerabilities in Yahoo! websites before, this is the first time when he encountered a MySQL 5 server being used by the company.

The screenshots provided by the hacker reveal the databases available on the server, as well as the users with access to them. While connections with the "root" account can only be established from local IP addresses owned by Yahoo!, Unu points out that an account called "reply_mon" can be used to access the databases from any host.

Querying the database table where details about the website's admins are stored reveals their user names, e-mail addresses and publicly displayed names. Furthermore, the UserLocations table contains information about registered users, including their Yahoo! ID, address, city, state, zip code, country and e-mail.

However, one of the most dangerous finds is that the server allows load_file, which means that a writable directory can be used to execute malicious code in order to obtain command line access. The hacker notes that, from that point on, "we can do virtually anything we want with the website: upload shells, redirects, infect pages with trojan droppers, even deface the whole website."

In an e-mail to Softpedia, Unu wrote that he is an adept of responsible disclosure practices and confirmed that Yahoo! had been notified of this vulnerability in advance. "As far as I know it has been addressed," he noted.

Yahoo! Local Hacked

escalation666 Newbie

escalation666

Posted
Posted

Asta e sigur unu de pe hackersblog?

"By unu1234567"

De cand unu e si lord?

"I INTERFERE HERE NATURALLY , WICH I FIND ….JUST FOR FUN ! ALL PICTURES ARE REAL AND NOTHING IS BLURRED , IS ALCHIMIE , IS ART …AND I’M THE WINNER !

ENJOY MY WORLD !

LORD UNU

"

Alchemy scris gresit iar el e castigatorul a ce?

Pute a manelar.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...