Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities.
YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these
vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.
In accordance with our coordinated disclosure policy, Cisco Talos worked with YouPHPTube to ensure that these issues are resolved and that an update is available for affected customers.
Update (Oct. 30, 2019): Talos is disclosing two additional vulnerabilities in YouPHPTube — TALOS-2019-0940 and TALOS-2019-0941.
Vulnerability details
YouPHPTubeEncoder base64Url multiple command injections (TALOS-2019-0917/CVE-2019-5127, CVE-2019-5129)
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube . Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameters to trigger these vulnerabilities, potentially allowing exfiltration of the database, user credentials and compromise the underlying operating system. Unlike the other vulnerabilities outlined in this blog, an attacker does not need credentials to log in to exploit this bug.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/pluginSwitch.json.php multiple SQL injection vulnerabilities (TALOS-2019-0911/CVE-2019-5121, CVE-2019-5123)
Exploitable SQL injection vulnerabilities exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube/plugin/AD_Server/view/campaignsVideos.json.php id SQL injection vulnerability (TALOS-2019-0910/CVE-2019-5120)
An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6 Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/subscribeNotify.json.php user_id SQL injection vulnerability (TALOS-2019-0909/CVE-2019-5119)
An exploitable SQL injection vulnerability exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and,in certain configuration, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/subscribe.json.php SQL injection vulnerability (TALOS-2019-0908/CVE-2019-5117)
Exploitable SQL injection vulnerabilities exist in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/videoAddNew.json.php SQL injection vulnerability (TALOS-2019-0907/CVE-2019-5116)
An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/commentAddNew.json.php comments_id SQL injection vulnerability (TALOS-2019-0906/CVE-2019-5114)
Exploitable SQL injection vulnerabilities exist in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/videoAddNew.json.php SQL injection vulnerability (TALOS-2019-0940/CVE-2019-5150)
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. When the "VideoTags" plugin is enabled, a specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
YouPHPTube /objects/video.php getVideo videoName code execution vulnerability (TALOS-2019-0941/CVE-2019-5151)
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Versions tested Researchers tested and confirmed that versions 6.2, 7.6 are affected by TALOS-2019-0908, TALOS-2019-0907 and TALOS-2019-0906, TALOS-2019-0909, TALOS-2019-0910 and TALOS-2019-0911. Version 7.6 is affected by TALOS-2019-0917.
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 51587 - 51592, 51597 - 51599, 51600 - 51602, 51608 - 51610, 51924 - 51928