what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vastal I-tech phpVID 1.2.3 Cross Site Scripting

Vastal I-tech phpVID 1.2.3 Cross Site Scripting
Posted Mar 11, 2015
Authored by Jing Wang

Vastal I-tech phpVID version 1.2.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 2f745f0f2053a1c50166e0ff9afe06971ef8e748db53f3dd09146b41f9b50d4a

Vastal I-tech phpVID 1.2.3 Cross Site Scripting

Change Mirror Download
*Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security
Vulnerabilities*


Exploit Title: Vastal I-tech phpVID Multiple XSS Security Vulnerabilities
Product: phpVID
Vendor: Vastal I-tech
Vulnerable Versions: 1.2.3 0.9.9
Tested Version: 1.2.3 0.9.9
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Vastal I-tech



*Product & Vulnerable Versions:*
phpVID
1.2.3
0.9.9



*Vendor URL & Download:*
phpVID can be bought from here,
http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA



*Product Introduction:*
"phpVID is a video sharing software or a video shating script and has all
the features that are needed to run a successful video sharing website like
youtube.com. The features include the following. phpVID is the best youtube
clone available. The latest features include the parsing of the subtitles
file and sharing videos via facebook. With phpVID Video Sharing is
extremely easy. "

"The quality of code and the latest web 2.0 technologies have helped our
customers to achieve their goals with ease. Almost all customers who have
purchased phpVID are running a successful video sharing website. The
quality of code has helped in generating more then 3 million video views a
month using a "single dedicated server". phpVID is the only software in
market which was built in house and not just purchased from someone. We
wrote the code we know the code and we support the code faster then anyone
else. Have any questions/concerns please contact us at: info@vastal.com.
See demo at: www.phpvid.com. If you would like to see admin panel demo
please email us at: info@vastal.com."

"Server Requirements:
Preferred Server: Linux any Version
PHP 4.1.0 or above
MySQL 3.1.10 or above
GD Library 2.0.1 or above
Mod Rewrite and .htaccess enabled on server.
FFMPEG (If you wish to convert the videos to Adobe Flash)"





*(2) Vulnerability Details:*
phpVID web application has a security bug problem. It can be exploited by
XSS (Cross-site Scripting) attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server. Some bug hunter researchers also have found other
XSS vulnerabilities related to it before. phpVID has patched some of them.


*(2.1)* The first code programming flaw occurs at "members.php?" page with
"&browse" parameter.


*(2.2)* The second code programming flaw occurs at "login.php?" page with
"&next" parameter.


*(2.3)* The third code programming flaw occurs at "search_results.php?"
page with "&query" parameter.


*(2.4) *The fourth code programming flaw occurs at "groups.php?" page with
"&type" parameter.








*References:*
http://www.tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/vastal-i-tech-phpvid-123-multiple-xss.html
http://www.inzeed.com/kaleidoscope/computer-web-security/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities-2/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/
https://webtechwire.wordpress.com/2015/03/10/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142295509503651&w=2
https://cxsecurity.com/issue/WLB-2015030026





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close