*Vastal I-tech phpVID 1.2.3 SQL Injection Security Vulnerabilities* Exploit Title: Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Security Vulnerabilities Product: phpVID Vendor: Vastal I-tech Vulnerable Versions: 1.2.3 0.9.9 Tested Version: 1.2.3 0.9.9 Advisory Publication: March 10, 2015 Latest Update: March 10, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* Vastal I-tech *Product & Vulnerable Versions:* phpVID 1.2.3 0.9.9 *Vendor URL & Download:* phpVID can be bought from here, http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA *Product Introduction:* "phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy." "The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a "single dedicated server". phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com." "Server Requirements: Preferred Server: Linux any Version PHP 4.1.0 or above MySQL 3.1.10 or above GD Library 2.0.1 or above Mod Rewrite and .htaccess enabled on server. FFMPEG (If you wish to convert the videos to Adobe Flash)" *(2) Vulnerability Details:* phpVID web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them. *(2.1) *The first code programming flaw occurs at "groups.php?" page with "&order_by" "&cat" parameters. *References:* http://tetraph.com/security/sql-injection-vulnerability/vastal-i-tech-phpvid-1-2-3-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/vastal-i-tech-phpvid-123-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/vastal-i-tech-phpvid-1-2-3-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/vastal-i-tech-phpvid-1-2-3-sql-injection-security-vulnerabilities/ https://webtechwire.wordpress.com/2015/03/10/vastal-i-tech-phpvid-1-2-3-sql-injection-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2 https://cxsecurity.com/issue/WLB-2015020091 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious