[BugBounty] Yahoo phpinfo.php disclosure

Dear readers,

during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of yahoo is *.yahoo.com i did a ping on the main domain of Yahoo to find out the corresponding ip adress. The result was  98.138.253.109, the next thing i did was a whois request on that domain to find the netrange of this ip adress.

 

Bildschirmfoto 2014-09-26 um 16.49.33

NetRange: 98.136.0.0 – 98.139.255.255
CIDR: 98.136.0.0/14
OriginAS:
NetName: A-YAHOO-US9
NetHandle: NET-98-136-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-12-07
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-98-136-0-0-1

As you can see the CIDR entry tells me that Yahoo owns a large Network 98.136.0.0/14 which is 260.000 unique IP-Adresses.  So i wrote a short shell script to ask every single ip Adress of the whole Yahoo range for the phpinfo.php file

#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done &

and yes the result was the one i’ve found above.

 

Thanks for reading

All the best

Patrik

 

en_USEnglish