Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Yahoo Fixes RCE Flaw Leading to Root Server Access

A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company’s servers.

A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company’s servers.

The Egyptian security researcher Ebrahim Hegazy has analyzed the “” domain, which is used to host a contest whose goal is to find “India’s most innovative minds across campuses.” The researcher initially uncovered an SQL Injection vulnerability on one of the website’s pages.

By exploiting this security hole, Hegazy managed to gain access to the site’s databases, which included login credentials for an administration panel. The administrator password was encoded in Base64, but the researcher said he was able to decode it.

After identifying the administrator login page, hosted at “,” the expert accessed it using the username and password found in the site’s database. Once he obtained access to the administration panel, Hegazy looked for a file upload page in an attempt to execute arbitrary code on the server.

He quickly identified the file upload page, but the PHP files he had uploaded were assigned a “xrds+xml” extension due to the fact that the “Content-Type” header had the value “application/xrds+xml”. By renaming the header in his request to “application/php”, the researcher managed to get his PHP file onto the server.

After finding the remote code execution (RCE) vulnerability, gaining root access to the server was not difficult because the kernel had not been updated since 2012. Hegazy leveraged a local root exploit vulnerability to achieve the task.

The expert reported his findings to Yahoo on September 5, and the company addressed the issue two days later. It appears Yahoo has fixed the issue by restricting access to the administration panel and the page containing the SQL injection vulnerability.

While these are critical vulnerabilities, Yahoo has informed the researcher that his findings are not eligible for a reward.

“I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it falls outside the scope. Yahoo pays for Critical vulnerabilities in Out of Scope domains. If a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!” Hegazy said in a blog post.

This isn’t the first time a researcher gains access to an administration panel on a Yahoo-powered website. Last month, Nathaniel Wakelam, an Australian security researcher who works as a consultant at RMSEC, told SecurityWeek that he had leveraged a non-technical bug to access an admin panel used internally by Yahoo staff.

In June,  California-based security researcher Behrouz Sadeghipour found a vulnerability in the Yahoo Toolbar that generated a stored cross-site scripting (XSS) flaw on several high-profile websites, including Twitter, Amazon, Google and YouTube.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.