Source Code Analysis in YSurvey — Luminate bug

Rojan Rijal
Apr 10, 2018 · 2 min read

This is going to be a really short bug and also an example of why you should do source code analysis when applicable.

When analyzing a web application add-on that Yahoo has for Luminate, I decided to check YSurvey by checking its source code as well. YSurvey allows website owners to create surveys for their visitors. Based on how it is designed, there is only one admin in YSurvey which will be the website owner. Users filling the survey have no user accounts. This will be an important piece to know to understand this bug.

During the analysis, I found out that when accessing the admin panel, there was a cookie that was identifying if user was an admin. This code simply checked if the cookie was set to cid=1 or not.

So, I opened an incognito session, and modified the cookie on the fly. Once the cid=1 was added, it gave me access to admin panel of that website (Video 1).

Video 1: Conducting request from Burp

After finding access to admin access, I wanted to see if I could escalate the attack and have a chance to make it more severe. This is when a SQL injection vulnerability was discovered in YSbuilder.

After finding this vulnerability and reporting this, I started to analyze the source code. During the analysis it was found that when admin loads their survey templates, a GET request is made which queries to the SQL database. This was vulnerable to SQL injection because of the code:

Image for post
Image for post
PHP code that made the sql query

In this code, t_id was directly grabbed from the GET request without any form of sanitization.

This made everything severe because we could now access the root sql database and leverage it to attack the older version of PHPmyadmin they had installed. This would give us multiple access like FTP allowing attacker to deface the whole website of the user.

September 18, 2017: Initial report sent

September 18, 2017: Triaged and Bounty Awarded

September 18, 2017: More analysis given which included a SQL injection

For the fix, Yahoo decided to discontinue YSurvey which was a wise and good choice because there are other resources that do the same thing and can help make Yahoo Small Business more efficient for their users.

It was extremely fun to work with Yahoo’s security team on these vulnerabilities. If you haven’t already, I extremely recommend that you tryout their program.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store