Preface:
An Egyptian hacker uploads a file and wins websites owned by many large manufacturers. In addition, this buddy is very funny and has a comedy effect. Here is the original English text.
Body:
Hello, everyone. Today I will show you a Remote Code Injection caused by "Unauthorized Admin Access". I used this vulnerability to fix Yahoo, microsoft and Orange websites.
Incredible, isn't it? Below is the time to witness the miracle. One day I made a mess on the yahoo page and found this page when I was looking for the management background. (Here ymx stands for my own account) http://mx.horoscopo.yahoo.net/ymx/editor/
Log in without any authentication. I thought he would say "Unauthorized Admin Access AKA Indirect Object Reference.
Have you seen the file list on the left? I can also create a similar aspx file. First, intercept the data submitted by POST.
You can see that the POST: FileName = zigoo. aspx & FileContent = zigoo line is clear. I can use any content to replace it. (It's a bunker. You have wood !)
Let me just write something. This proves the existence of the vulnerability.
Next let's look for the evil ones and find out which sub-domain names have this vulnerability:
# Yahoo:
Http://pe.horoscopo.yahoo.net
Http://mx.horoscopo.yahoo.net
Http://ar.horoscopo.yahoo.net
Http://co.horoscopo.yahoo.net
Http://cl.horoscopo.yahoo.net
Http://espanol.horoscopo.yahoo.net
# Microsoft MSN:
Http://astrocentro.latino.msn.com/
Http://astrologia.latino.msn.com/
Http://horoscopo.es.msn.com/
Http://horoscopos.prodigy.msn.com
# Orange:
Http://astrocentro.mujer.orange.es
When I tested these websites, I found another one for NB! Day! Big! Secret! Password! As long as I create this page under a subdomain name, other subdomain names will also be automatically recruited. You can beat the ox in the mountains.
As a result, I reported this vulnerability to Microsoft. Microsoft calmly replied, "we will investigate it." Well, let them investigate it slowly. Let's guess how this happens in a dozen or a hundred times. I guess it is a CDN server that provides cached content to all sub-domain names, so a file appears under a domain name, and all other domain names will be affected.
The following is a POC video:
Finally, let's make a try:
# Yahoo_Case
Yahoo did not pay a reward for the vulnerability, but the vulnerability discovered by brother involved six subdomains, which had a huge impact. So they prepared and rewarded me with the reward.
# MSN_Case
I asked Microsoft to ask for a prize. As a result, Microsoft never gave me a bird, and they must have secretly fixed the vulnerability. WTF
# Orange_Case
Connecting to Orange is simply a hell‑level difficulty, so I gave up. But fortunately, Microsoft released a patch to fix all servers, including Orange.