Vulnerabilities in open source streaming platforms YouPHPTube and AVideo could lead to RCE

Multiple vulnerabilities in open source video platforms YouPHPTube and AVideo could be leveraged to achieve remote code execution (RCE) on a user’s device.

Researchers from Synacktiv discovered multiple vulnerabilities in the source code shared by the projects that were due to a lack of user input sanitization, a technical write-up reads.

The issues include an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability.

Issues

The SQL injection bug could allow attackers to extract sensitive data such as password hashes. It could also allow an unauthenticated user to become an administrator.

Multiple reflected XSS vulnerabilities could be used to steal administrators’ session cookies and perform actions as an administrator.

Finally, a file write flaw could allow an administrator to execute malicious code on the server.

Synacktiv said there is no official workaround at this time, but added that users should sanitize $catName input data properly before processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added.

“Sanitize searchPhrase, u and redirectUri with htmlentities function to avoid HTML and JavaScript injections.

“Finally, server side file write through flag and code parameters without file type checks should not be authorized even for administrators”

The vulnerabilities affect AVideo versions 10.0 and below, and YouPHPTube versions 7.8 and below.

A more detailed description and proof of concept can be found in this technical write-up (PDF).

Synacktiv has reported the issues to the open source projects’ developers.

Source: https://portswigger.net/daily-swig/vulnerabilities-in-open-source-streaming-platforms-youphptube-and-avideo-could-lead-to-rce