Rikudo Posted May 25, 2014 Report Posted May 25, 2014 Ebrahim Hegazy, a Bug Bounty Hunter from Egypt, has identified a security vulnerability that allowed him to hack Microsoft, Yahoo and Orange.Sponsored LinksWhile he is on the hunt for a security bug in Yahoo domains, he found a web page that allowed him to upload .aspx file and modify the existing aspx files. You can just create a new file by sending POST request to the URL " http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx" with the following post content: "FileName=New_File_Name.aspx&FileContent=File_Content_Here".Ebrahim has simply uploaded a file called 'zigoo.aspx' with 'zigoo' as content. To find out other Yahoo domains that were affected by the same vulnerability, researcher did a Bing search.More: Single RCE Vulnerability that affects Microsoft, Yahoo and Orange - E Hacker News Quote
Hertz Posted May 25, 2014 Report Posted May 25, 2014 Cum nu ? Omul poate sa isi puna un shell intr-un fisier si de acolo RCE. Quote
Rikudo Posted May 25, 2014 Author Report Posted May 25, 2014 @Shocker - Probabil e RCE, dar printr-o simpla imagine nu ne putem da seama. De ce nu ar fi RCE? Sau de ce ar fi ? Quote
Active Members dancezar Posted May 25, 2014 Active Members Report Posted May 25, 2014 RCE Remote Code Execution : executi cod albitrarCe e acolo e mai mult Albitrary file upload numai ca nu este trimis requestul prin POST ci prin GET Quote
dekeeu Posted May 25, 2014 Report Posted May 25, 2014 @Shocker - Probabil e RCE, dar printr-o simpla imagine nu ne putem da seama. De ce nu ar fi RCE? Sau de ce ar fi ? Quote
