Yahoo Patches SSRF Vulnerability
Wednesday, July 1, 2015 @ 05:07 PM gHale
If a user wants to view an image on Yahoo, it should be all clear as the firm patched a SSRF vulnerability which affected all its services that required images to be processed.
SSRF (Server-Side Request Forgery) vulnerabilities, also known as XSPA (Cross-Site Port Attack), exist when an application that processes user supplied URLs doesn’t properly verify the response from the server before sending it back to the client.
An attacker can exploit that flaw to attempt to bypass access controls (e.g. firewalls), conduct port scanning by using the affected servers as a proxy, and even access data on a system.
California-based security researcher Behrouz Sadeghipour discovered a SSRF/XSPA vulnerability in a Yahoo image processing system back in July last year. He immediately reported his findings, but it took the company 11 months to address the bug.
Yahoo services such as Flickr and Yahoo Groups allow users to utilize the IMG tag in comments and messages. When posted, the images process through yimg.com, Yahoo’s image domain.
Sadeghipour first discovered he could use the request to yimg.com to execute cross-site scripting (XSS) payloads. He also found he could launch SSRF attacks by replacing the value of the “url” parameter in the request with his own URL.
Sadeghipour said the vulnerability allowed him to internally access local networks and determine which ports are open on a specific local or remote machine.