Another now-closed bug in Yahoo's servers have revealed that it was running an old server kernel allowing root access to its system, according to security researcher Ebrahim Hegazy.
Hegazy found that by manipulating one of the parameters in the URLs used in Yahoo Mail, he could cause the server to execute system commands remotely.
On Yahoo's end, the parameter is used within a php eval() function, which takes a strings (the parameter Hegazy manipulated) and executes it as php code. The documentation for the php function explicitly warns against its use where possible, and, where there is no other option, states the string passed to eval() be validated carefully.
This validation process appears not to have happened, with Hegazy able to use a combination of print() and system() functions to execute commands and return the results.
At this point, Hegazy was able to execute any code with the same privileges as the account that started the web server, including listing running processes, logged in users, and directory contents.
However, he later discovered that the server kernel being used was outdated and contained a vulnerability that would have allowed him to escalate the privileges of the web server account, and gain root access.
Hegazy reported his findings to Yahoo on January 20, and the next day, it responded and issued a fix.
The vulnerability comes only a week after it was revealed that Facebook also had a vulnerability that could have allowed for remote code execution on its servers.
In that case, Facebook closed the hole within hours and paid the researcher $33,500.
Yahoo has emailed Hegazy, stating that if his bug falls within the scope of its bug bounty, someone will soon be in contact about a reward.