[BugBounty] Yahoo phpinfo.php disclosure

Dear readers,

during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of yahoo is *.yahoo.com i did a ping on the main domain of Yahoo to find out the corresponding ip adress. The result was, the next thing i did was a whois request on that domain to find the netrange of this ip adress.


Bildschirmfoto 2014-09-26 um 16.49.33

NetRange: –
NetName: A-YAHOO-US9
NetHandle: NET-98-136-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-12-07
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-98-136-0-0-1

As you can see the CIDR entry tells me that Yahoo owns a large Network which is 260.000 unique IP-Adresses.  So i wrote a short shell script to ask every single ip Adress of the whole Yahoo range for the phpinfo.php file

for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done &

and yes the result was the one i’ve found above.


Thanks for reading

All the best




2 Gedanken zu „[BugBounty] Yahoo phpinfo.php disclosure

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.