Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube

Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Post by Jon Munshaw.

YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.In accordance with our coordinated disclosure policy, Cisco Talos worked with YouPHPTube to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

YouPHPTubeEncoder base64Url multiple command injections (TALOS-2019-0917/CVE-2019-5127, CVE-2019-5129)

Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube . Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameters to trigger these vulnerabilities, potentially allowing exfiltration of the database, user credentials and compromise the underlying operating system. Unlike the other vulnerabilities outlined in this blog, an attacker does not need credentials to log in to exploit this bug.