Jump to content
Login new information ×
Login new information

Vulnerabilities in open source streaming platforms YouPHPTube and AVideo could lead to RCE

mood

By mood
in Security & Privacy News

Recommended Posts

mood

mood

Posted
Posted

Vulnerabilities in open source streaming platforms YouPHPTube and AVideo could lead to RCE

SQL injection, XSS flaws among issues reported to developers

 

2a33-article-210129-youphptube-main.jpg

 

Multiple vulnerabilities in open source video platforms YouPHPTube and AVideo could be leveraged to achieve remote code execution (RCE) on a user’s device.

 

Researchers from Synacktiv discovered multiple vulnerabilities in the source code shared by the projects that were due to a lack of user input sanitization, a technical write-up reads.

 

The issues include an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability.

Issues

The SQL injection bug could allow attackers to extract sensitive data such as password hashes. It could also allow an unauthenticated user to become an administrator.

 

Multiple reflected XSS vulnerabilities could be used to steal administrators’ session cookies and perform actions as an administrator.

 

Finally, a file write flaw could allow an administrator to execute malicious code on the server.

 

Synacktiv said there is no official workaround at this time, but added that users should sanitize $catName input data properly before processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added.

“Sanitize searchPhrase, u and redirectUri with htmlentities function to avoid HTML and JavaScript injections.

“Finally, server side file write through flag and code parameters without file type checks should not be authorized even for administrators”

 

The vulnerabilities affect AVideo versions 10.0 and below, and YouPHPTube versions 7.8 and below.

 

A more detailed description and proof of concept can be found in this technical write-up (PDF).

 

Synacktiv has reported the issues to the open source projects’ developers.

 

 

Source: Vulnerabilities in open source streaming platforms YouPHPTube and AVideo could lead to RCE

Link to comment
Share on other sites
  • Views 525
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...