Yahoo!: YQL: From CR/LF injection to root compromise

The Yahoo Query Language YQL allowed sending outgoing HTTP requests; custom headers could be added using the header method. A vulnerability existed wherein CR/LF carriage return/line feed sequences could be injected into these custom headers, enabling HTTP request smuggling attacks. This bypassed...

Yahoo!: Out-of-band read of arbitrary ASCII files on YQL backend servers via XML external parameter entities

The Yahoo Query Language YQL service allowed arbitrary XML documents to be loaded via the feednormalizer table and its prexslurl parameter. This enabled an attacker to exfiltrate data from the YQL backend servers by defining external parameter entities in the XML document that read local files. T...

Yahoo!: Read arbitrary ASCII files on YQL backend servers via XSLT unparsed-entity-uri() and parameter entities

Hacker discovered a vulnerability that allowed an unauthorized actor to read arbitrary ASCII files and list directories on the Yahoo Query Language YQL backend servers. This was achieved by leveraging the unparsed-entity-uri XSLT function and the dynamic declaration of unparsed XML entities when...

Yahoo!: Code execution in "ymon" WebService, reached after bypassing the anti-loopback blacklist through YQL and HTTP redirects

A security vulnerability was discovered in Yahoo's "ymon" web service. An attacker bypassed the anti-loopback denylist by leveraging Yahoo Query Language YQL and HTTP redirects, ultimately achieving code execution. The vulnerability stemmed from the lack of proper input validation and sanitizatio...

Yahoo!: Yahoo YQL Injection?

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but this functionality is working as designed. We appreciate your adherence to responsible disclosure guidelines and look forward t...

Yahoo!: Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes)

Thank you for your submission to Yahoo’s Bug Bounty program. There were similar reports submitted, this report is marked as closed as the other reports will be triaged. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. ...

Bug Hunter Finds 'Blended Threat' Targeting Yahoo Web Site

A Romanian bug hunter has discovered a “blended threat” targeting Yahoo’s Developer Network Web site that allows unauthorized access to Yahoo users’ emails and private profile data. At a security conference Sunday, Sergiu Dragos Bogdan demonstrated an abbreviated version of an attack using the YQ...