Hacking YouPHPTube 7.7 SQL Injection Vulnerability

Koc

Moderator
Messages
192
Reaction score
3,134
Points
93
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:

[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

Manigodo

Registered
Messages
45
Reaction score
48
Points
18
In fact i don't really know hacking.. please how Can i use this information?'
 

Snyder1994

Registered
Messages
13
Reaction score
12
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Great
 
  • Like
Reactions: Koc

Ana23mama23

Registered
Messages
62
Reaction score
80
Points
18
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
ok thank
 
  • Like
Reactions: Koc

Simeon6w

Registered
Messages
15
Reaction score
15
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

alekgrau

Registered
Messages
17
Reaction score
12
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

rchscotter

VIP Member
Messages
31
Reaction score
13
Points
8
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Thanks
 

Serb12

Registered
Messages
23
Reaction score
37
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Ooh hot method
 

lemiclemic

Registered
Messages
14
Reaction score
12
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
a
 

alekgrau

Registered
Messages
17
Reaction score
12
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
thx
 

tafko2001

Registered
Messages
18
Reaction score
6
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
manqk ti lud li si
 

tio01

Registered
Messages
1
Reaction score
0
Points
1
[QUOTE = "Koc, publicación: 1134, miembro: 4"]
YouPHPTube <= 7.7 (getChat.json.php) Vulnerabilidad de inyección SQL
-------------------------------------------------- --------------

[-] Enlace de software:
*** Texto oculto: no se puede citar. ***


[-] Versiones afectadas:
Versión 7.7 y versiones anteriores.

[-] Descripción de la vulnerabilidad:
La entrada del usuario pasó a través del parámetro POST "live_stream_code" para
/plugin/LiveChat/getChat.json.php no se desinfecta correctamente antes
que se utiliza para construir una consulta SQL. Esto puede ser aprovechado por
los usuarios, por ejemplo, leer datos confidenciales de la base de datos a través de SQL en banda
Ataques por inyección. Explotación exitosa de esta vulnerabilidad
requiere que el complemento "Live Chat" esté habilitado (deshabilitado de forma predeterminada).

[-] Solución:
Actualice a la versión 7.8 o posterior.

[-] Cronograma de divulgación:
[31/10/2019] - Problema informado a https://git.io/JeD2U
[02/11/2019] - Número CVE asignado
[02/12/2019] - Versiones 7.8 lanzadas
[12/04/2019] - Publicación de este aviso

[-] Referencia CVE:
El proyecto Common Vulnerabilities and Exposures (cve.mitre.org)
ha asignado el nombre CVE-2019-18662 a esta vulnerabilidad.
[/CITAR]
 
Top Bottom