Hacking YouPHPTube 7.7 SQL Injection Vulnerability

Koc

Moderator
Joined
Jun 28, 2020
Messages
192
Reaction score
5,171
Points
93
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:

[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

Manigodo

Registered
Joined
Jul 4, 2020
Messages
45
Reaction score
50
Points
18
In fact i don't really know hacking.. please how Can i use this information?'
 

Snyder1994

Registered
Joined
Jul 1, 2020
Messages
13
Reaction score
12
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Great
 
  • Like
Reactions: Koc

Ana23mama23

Registered
Joined
Jul 9, 2020
Messages
61
Reaction score
105
Points
33
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
ok thank
 
  • Like
Reactions: Koc

Simeon6w

Registered
Joined
Jul 14, 2020
Messages
14
Reaction score
21
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

alekgrau

Registered
Joined
Jul 16, 2020
Messages
17
Reaction score
13
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
 

rchscotter

VIP Member
Joined
Aug 13, 2020
Messages
29
Reaction score
15
Points
8
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Thanks
 

Serb12

Registered
Joined
Jul 1, 2020
Messages
22
Reaction score
77
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
Ooh hot method
 

lemiclemic

Registered
Joined
Aug 16, 2020
Messages
13
Reaction score
17
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
a
 

alekgrau

Registered
Joined
Jul 16, 2020
Messages
17
Reaction score
13
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
thx
 

tafko2001

Registered
Joined
Sep 30, 2020
Messages
18
Reaction score
8
Points
3
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------

[-] Software Link:
*** Hidden text: cannot be quoted. ***


[-] Affected Versions:
Version 7.7 and prior versions.

[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).

[-] Solution:
Upgrade to version 7.8 or later.

[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory

[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
manqk ti lud li si
 

tio01

Registered
Joined
Feb 10, 2021
Messages
55
Reaction score
4
Points
8
[QUOTE = "Koc, publicación: 1134, miembro: 4"]
YouPHPTube <= 7.7 (getChat.json.php) Vulnerabilidad de inyección SQL
-------------------------------------------------- --------------

[-] Enlace de software:
*** Texto oculto: no se puede citar. ***


[-] Versiones afectadas:
Versión 7.7 y versiones anteriores.

[-] Descripción de la vulnerabilidad:
La entrada del usuario pasó a través del parámetro POST "live_stream_code" para
/plugin/LiveChat/getChat.json.php no se desinfecta correctamente antes
que se utiliza para construir una consulta SQL. Esto puede ser aprovechado por
los usuarios, por ejemplo, leer datos confidenciales de la base de datos a través de SQL en banda
Ataques por inyección. Explotación exitosa de esta vulnerabilidad
requiere que el complemento "Live Chat" esté habilitado (deshabilitado de forma predeterminada).

[-] Solución:
Actualice a la versión 7.8 o posterior.

[-] Cronograma de divulgación:
[31/10/2019] - Problema informado a https://git.io/JeD2U
[02/11/2019] - Número CVE asignado
[02/12/2019] - Versiones 7.8 lanzadas
[12/04/2019] - Publicación de este aviso

[-] Referencia CVE:
El proyecto Common Vulnerabilities and Exposures (cve.mitre.org)
ha asignado el nombre CVE-2019-18662 a esta vulnerabilidad.
[/CITAR]
 
Top Bottom