Nuevolabs Nuevoplayer For Clipshare SQL Injection
Posted on 31 October 2014
Nuevolabs Nuevoplayer for clipshare SQL Injection ======================================================================= :: ADVISORY SUMMARY :: Title: Nuevolabs Nuevoplayer for clipshare Sql Injection Vendor: NUEVOLABS (www.nuevolabs.com) Product: NUEVOPLAYER for clipshare Credits: Cory Marsh - protectlogic.com Discovery: 2014-10-10 Release: 2014-10-28 Nueovplayer is a popular flash video player with integration into multiple popular video sharing suites. The most notable is Clipshare (clip-share.com). Nuevoplayer provides flash video playing capabilities to third party video sharing suites. :: VULNERABILITY :: Type: SQL Injection and Privilege Escalation Category: Remote Severity: High CVSS2: 7.7 CVSS2: (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:TF/RC:C) CVE-ID: CVE-2014-8339 :: AFFECTED PRODUCT VERSIONS :: NUEVOLABS NUEVOPLAYER for clipshare version 8.0 and possibly earlier. nuevolabs.com clip-share.com :: VULNERABILITY DETAILS :: A sql injection vulnerability in nuevo player midroll feature with integration for clipshare allows remote attackers to read any information in the effected mysql database. Midrolls allow sites to insert ads or "midrolls" into videos during playback. Because clipshare stores the administrator password in the database this leads to full comprise of the effected clipshare system. :: SOLUTION :: Vendor is not providing patches for effected customers. If the site does NOT use midrolls, you can simply delete midroll.php to protect yourself. If you wish to patch the issue, you can apply this patch to midroll.php which wraps the $ch variable in a intval() function on line 29 of midroll.php: line 29: 'channel = '.$ch. becomes: 'channel = '.intval($ch). ------------------- CUT HERE ------------------- --- midroll.php 2014-10-16 21:02:36.077663202 -0600 +++ midroll-patched.php 2014-10-16 21:02:02.197662566 -0600 @@ -26,7 +26,7 @@ $chans = explode("|",$channel); foreach($chans as $ch) { - if(!$ch=='0') { $add.='channel = '.$ch.' OR '; } + if(!$ch=='0') { $add.='channel = '.intval($ch).' OR '; } } $add =trim($add); $add=trim($add,'OR');$add=trim($add); ------------------- CUT HERE ------------------- To apply the patch, copy paste this to a new file (midroll.patch for example), upload this file to your server and apply the patch with the command: patch /path/to/midroll.php < /path/to/midroll.patch eg: $ cp midroll.php /var/www/site/nuevo/midroll.patch $ cd /var/www/site/nuevo $ patch midroll.php < midroll.patch :: DISCLOSURE :: 2014-10-15 initial vendor contact - no response 2014-10-21 CVE requested 2014-10-23 CVE assigned, vendor contact - no response 2014-10-24 posted to vendor forum - no respsone 2014-10-25 fourth vendor contact - no response 2014-10-26 vendor deletes post and suspends account 2014-10-29 public disclosure :: DISCLAIMER :: THE INFORMATION PRESENTED HEREIN ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
