Vulnerable to SQL injection

Aug 25, 2009 13:07 GMT  ·  By

A greyhat hacker has discovered a critical SQL injection vulnerability in Yahoo! Local Neighbors discussion board website. The flaw can be used to read information about administrative and user accounts or upload a shell on the server.

Neighbors is a Yahoo! Local feature launched at the end of 2007 with the purpose of providing a place for people to exchange information about events happening in their local communities and other useful info. Yahoo! describes the site as a "practical discussion board for any topic - from neighborhood safety to contractor recommendations."

The hacker who discovered the vulnerability goes by the online nickname of "Unu" and had previously uncovered similar vulnerabilities in other high profile websites. He notes that despite finding SQL injection and cross-site scripting (XSS) vulnerabilities in Yahoo! websites before, this is the first time when he encountered a MySQL 5 server being used by the company.

The screenshots provided by the hacker reveal the databases available on the server, as well as the users with access to them. While connections with the "root" account can only be established from local IP addresses owned by Yahoo!, Unu points out that an account called "reply_mon" can be used to access the databases from any host.

Querying the database table where details about the website's admins are stored reveals their user names, e-mail addresses and publicly displayed names. Furthermore, the UserLocations table contains information about registered users, including their Yahoo! ID, address, city, state, zip code, country and e-mail.

However, one of the most dangerous finds is that the server allows load_file, which means that a writable directory can be used to execute malicious code in order to obtain command line access. The hacker notes that, from that point on, "we can do virtually anything we want with the website: upload shells, redirects, infect pages with trojan droppers, even deface the whole website."

In an e-mail to Softpedia, Unu wrote that he is an adept of responsible disclosure practices and confirmed that Yahoo! had been notified of this vulnerability in advance. "As far as I know it has been addressed," he noted.

Photo Gallery (6 Images)

Hacker discloses SQL vulnerability in Yahoo! Local Neighbors
Database listing on Yahoo! Local database serverMySQL users listing on Yahoo! Local database server
+3more