[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility
While mapping out sub-domains of Yahoo I stumbled upon https://bf1-uaddbcx-002.data.bf1.yahoo.com
It wasn’t behind a VPN just like other sub-domains of type *.002.data.bf1.yahoo.com. After opening the link it showed
According to documentation :
EMC Unisphere presents a new approach to unified storage management through a simple, flexible, and integrated user experience. Information is consolidated and visible through a single lens and managing storage is simplified by providing an intuitive, context-based approach. Users can customize their view and easily reallocate data. Unisphere also provides users with an extensive network of support and collaboration with other users.”
I clicked on “Start a new Unisphere session” however I kept stumbling on JRE run time error so I decided to shift my focus from that
While brute force directories I got a 200 HTTP response code from https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/
It looked like Uni-sphere debug facility which was directly accessible.
I was able to tamper and have read/write/ access to all the debugging options including the log files.
It also had a very insecure login mechanism which I was able to bypass
I got awarded a bounty by Yahoo for filing this bug report.