Yahoo Full Application Source Code Disclosure Vulnerability

Yahoo-logo

Hello Friends,

Today I will be talking about a “Full Application Source Code Disclosure” Vulnerability in one of Yahoo domains.

Domain name: https://tw.user.mall.yahoo.com/

Vulnerability Type: SVN Repository Disclosure Vulnerability

What is SVN ?:

SVN is a system to keep track of changes to project files. It’s usually used for any kind of project, being PHP or not, and many concurrent users to allow them to change files without overwriting each others’ changes.

Quoted from: “http://stackoverflow.com/questions/634820/what-is-svn-php”

In the Exploitation scenario, SVN Directory got a file named as “entries”

This file contains the files names and directories names of the project/application.

.e.g “https://android.googlesource.com/platform/external/mp4parser/+/dd9eb897ee7c7b507cbdcf80263bb4b5de6966bf/isoparser/src/main/java/com/coremedia/iso/boxes/apple/.svn/entries

As it’s clear from the above description, this SVN directory should be located only out side the web directory.

But what if that directory is located in the web directory? let’s explain the Yahoo vulnerability to understand it.

While Searching in the above mentioned domain name I found below directory on the web directory, and I’ve added “Entries” to it:

https://tw.user.mall.yahoo.com/prostore/.svn/entries

Screenshot from 2014-07-11 15:24:45

 

Now I can see each file and directory of the web application, so What?!

  • If the Yahoo server admin has compressed some files in .zip file, in normal scenario i will not be able to see it! but now I can see and download it 🙂
  • If the developer made a copy of the files such as config.php.bak, in normal scenario I wont see it, but now I can!
  • If the admin panel is hidden and I cant find it with any directory bruteforcing tool, Now I can easiely find it!

And many other Exploitation scenarios that could be conducted if the SVN directory is located on the web directory.

MoreOver,
While searching the directories fetched from the Entries file, I found some directories that contain a HTML files named with the same name as the PHP files, and guess what? It has the source code of the PHP files!

xScreenshot

Now that I knew it, I can’t visit every directory and then visit every HTML file inside the directory to see the source code!

So, I’ve wrote a Python POC file that will visit every dir and then fetch every page inside that directory to get a good POC.

The above vulnerability also helped me to gain UnAuthorized Admin access to a dir in that domain name:

yScreenshot

I’ve reported to Yahoo both vulnerabilities:

  • Source Code Disclosure
  • Unauthorized Admin Access

Yahoo has decided to gather both vulnz in one report, and has rewarded me with, take a guess?

Yahoo has rewarded me a 250$ for this report! ya it’s 250$ you see it right 😀

This is one of the consequences of Yahoo minimized the minimum reward to be 50$!

However, Thanks Yahoo team for releasing a fast fix for this vulnerability.

Follow me on Twitter: https://twitter.com/zigoo0

Leave a reply