IT-Securityguard Blog

[BugBounty] Yahoo phpinfo.php disclosure

| Keine Kommentare

Dear readers,

during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of yahoo is *.yahoo.com i did a ping on the main domain of Yahoo to find out the corresponding ip adress. The result was  98.138.253.109, the next thing i did was a whois request on that domain to find the netrange of this ip adress.

 

Bildschirmfoto 2014-09-26 um 16.49.33

NetRange: 98.136.0.0 – 98.139.255.255
CIDR: 98.136.0.0/14
OriginAS:
NetName: A-YAHOO-US9
NetHandle: NET-98-136-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-12-07
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-98-136-0-0-1

As you can see the CIDR entry tells me that Yahoo owns a large Network 98.136.0.0/14 which is 260.000 unique IP-Adresses.  So i wrote a short shell script to ask every single ip Adress of the whole Yahoo range for the phpinfo.php file

and yes the result was the one i’ve found above.

 

Thanks for reading

All the best

Patrik

 

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.