Yahoo! Unrestricted File Upload Vulnerability

Hi all,

In this Write-Up i’ll explain how i was able to find an Unrestricted File Upload in https://reports-as.web.analytics.yahoo.com/

This is the PoC i sent to Yahoo! Security.

These are the steps to reproduce the issue:
1)Login at yahoo.com

2)Once logged in we have to go to https://reports-as.web.analytics.yahoo.com/Login.vm and subsequently click on “Manage Scheduled Reports”
3)Now we have to click on the “Do you want to change your company logo that appears on HTML and PDF reports?” button.This section allows only the upload of images that have .gif, .jpg, .png extensions.I’ve found a way to bypass this restriction uploading a TXT file which is a.txt that contains the following content “Yahoo Server Unrestricted File Upload by Andrea Santese” and renaming it with a.txt.jpg
So we have to upload this file and subsequently click on the “Upload” button.Once we uploaded it a message like this “Image file is uploaded successfully!” will appear,so the file is uploaded.I notice that the file we have uploaded is located at https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer
But when we go to this link an error like the following will appear ” The image “https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer” cannot be displayed because it contains errors.”
This error is due to the “Content-Type:image/jpeg” that the Yahoo Server send to the client that makes a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer  ,so now we have to change it into “Content-Type:text/html”.We can do this using a proxy like Burpsuite intercepting the response that the Yahoo Server send to the client and modifying on the fly the Content-Type into text/html.So we have to configure our browser to use the bursuite proxy.Once configured we have to make a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer.Before deciding if we have to click on the “Forward” or “Drop” button,we have to right click on the Raw request and subsequently select “Do Intercept”—->”Response to this request”.Now we have to click on the “Forward” button.Once clicked on it we will have a response like the following:

HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 10:32:01 GMT
P3P: policyref=”http://info.yahoo.com/w3c/p3p.xml“, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Last-Modified: Wed, 26 Mar 2014 10:32:02 GMT
Expires: Wed, 26 Mar 2014 10:32:02 GMT
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, prPragma: no-cache, private
Connection: close
Content-Type: image/jpg
Content-Length: 57

Yahoo Server Unrestricted File Upload by Andrea Santese

Now we have to change the Content-Type: image/jpg into Content-Type: text/html and subsequently click on the “Forward” button

Now the content of the a.txt.jpg file will come up!