Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Vastal I-tech phpVID 1.2.3 Cross Site Scripting

🗓️ 11 Mar 2015 00:00:00Reported by Jing WangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities Advisor

Code
`*Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security  
Vulnerabilities*  
  
  
Exploit Title: Vastal I-tech phpVID Multiple XSS Security Vulnerabilities  
Product: phpVID  
Vendor: Vastal I-tech  
Vulnerable Versions: 1.2.3 0.9.9  
Tested Version: 1.2.3 0.9.9  
Advisory Publication: March 10, 2015  
Latest Update: March 10, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: *  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),  
Singapore]  
  
  
  
  
  
  
  
*Advisory Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
Vastal I-tech  
  
  
  
*Product & Vulnerable Versions:*  
phpVID  
1.2.3  
0.9.9  
  
  
  
*Vendor URL & Download:*  
phpVID can be bought from here,  
http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA  
  
  
  
*Product Introduction:*  
"phpVID is a video sharing software or a video shating script and has all  
the features that are needed to run a successful video sharing website like  
youtube.com. The features include the following. phpVID is the best youtube  
clone available. The latest features include the parsing of the subtitles  
file and sharing videos via facebook. With phpVID Video Sharing is  
extremely easy. "  
  
"The quality of code and the latest web 2.0 technologies have helped our  
customers to achieve their goals with ease. Almost all customers who have  
purchased phpVID are running a successful video sharing website. The  
quality of code has helped in generating more then 3 million video views a  
month using a "single dedicated server". phpVID is the only software in  
market which was built in house and not just purchased from someone. We  
wrote the code we know the code and we support the code faster then anyone  
else. Have any questions/concerns please contact us at: [email protected].  
See demo at: www.phpvid.com. If you would like to see admin panel demo  
please email us at: [email protected]."  
  
"Server Requirements:  
Preferred Server: Linux any Version  
PHP 4.1.0 or above  
MySQL 3.1.10 or above  
GD Library 2.0.1 or above  
Mod Rewrite and .htaccess enabled on server.  
FFMPEG (If you wish to convert the videos to Adobe Flash)"  
  
  
  
  
  
*(2) Vulnerability Details:*  
phpVID web application has a security bug problem. It can be exploited by  
XSS (Cross-site Scripting) attacks. This may allow a remote attacker to  
create a specially crafted request that would execute arbitrary script code  
in a user's browser session within the trust relationship between their  
browser and the server. Some bug hunter researchers also have found other  
XSS vulnerabilities related to it before. phpVID has patched some of them.  
  
  
*(2.1)* The first code programming flaw occurs at "members.php?" page with  
"&browse" parameter.  
  
  
*(2.2)* The second code programming flaw occurs at "login.php?" page with  
"&next" parameter.  
  
  
*(2.3)* The third code programming flaw occurs at "search_results.php?"  
page with "&query" parameter.  
  
  
*(2.4) *The fourth code programming flaw occurs at "groups.php?" page with  
"&type" parameter.  
  
  
  
  
  
  
  
  
*References:*  
http://www.tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/  
http://securityrelated.blogspot.com/2015/03/vastal-i-tech-phpvid-123-multiple-xss.html  
http://www.inzeed.com/kaleidoscope/computer-web-security/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities-2/  
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/  
https://webtechwire.wordpress.com/2015/03/10/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/  
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142295509503651&w=2  
https://cxsecurity.com/issue/WLB-2015030026  
  
  
  
  
  
--  
Wang Jing,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/tetraphibious  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2015 00:00Current
vastal i-techphpvidcross-site scriptingvulnerabilitiessecurityxssvideo sharing software
37