[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility

While mapping out sub-domains of Yahoo I stumbled upon https://bf1-uaddbcx-002.data.bf1.yahoo.com

It wasn’t behind a VPN just like other sub-domains of type *.002.data.bf1.yahoo.com. After opening the link it showed

According to documentation :

EMC Unisphere presents a new approach to unified storage management through a simple, flexible, and integrated user experience. Information is consolidated and visible through a single lens and managing storage is simplified by providing an intuitive, context-based approach. Users can customize their view and easily reallocate data. Unisphere also provides users with an extensive network of support and collaboration with other users.”

I clicked on “Start a new Unisphere session” however I kept stumbling on JRE run time error so I decided to shift my focus from that

While brute force directories I got a 200 HTTP response code from https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/

It looked like Uni-sphere debug facility which was directly accessible.

I was able to tamper and have read/write/ access to all the debugging options including the log files.

It also had a very insecure login mechanism which I was able to bypass

I got awarded a bounty by Yahoo for filing this bug report.