Expert Finds Remote Code Execution Vulnerability in Yahoo Server

Yahoo hasn’t determined if the flaw falls within the scope of the bug bounty program

By on January 27th, 2014 09:54 GMT

Security researcher Ebrahim Hegazy has identified a remote command execution vulnerability in a Yahoo server. Yahoo has addressed the security hole.

According to the expert, he initially found a remote PHP code injection flaw. However, he managed to escalate it to a remote code execution vulnerability.

The issue was identified on tw.user.mall.yahoo.com, but Hegazy says that the underlying server hosts several other subdomains as well.

The security hole was reported to Yahoo on January 20, and it was fixed the next day. Yahoo representatives have told the researcher that they’re trying to determine if his findings are covered by the new bug bounty program.

Additional technical details on the vulnerability are available on Hegazy’s blog. You can also check out the proof of concept video published by the expert.

Comments

Expert Finds Remote Code Execution Vulnerability in Yahoo Server – Video
Click to play video
more on this topic
latest news
... so hot right now