_____________ ChX Security | Advisory #2 | ============= -> "Generic YouTube Clone Script - XSRF: Arbitrary Code Injection" <- ______ Data | ====== Author: Pepepistola Program: Generic YouTube Clone Script Severity: Moderately Critical Type of Advisory: Mid Disclosure Affected/Tested Versions: -- (* See below) * There multiple clone scripts make by multiple vendors but all share the same mistakes and even same code, so we couldnt determinate the right (or original) vendor. ____________________ Program Description | ==================== Dream to build your own highly profitable online video sharing community just like YouTube or DailyMotion? Unleash the power of video sharing to boost your websites' traffic & revenues! _________ Overview | ========= The "Email-Template" module has no file type validation and a remote attacker could lead the admin to create a especially crafted malicious email template that allows the remote attacker to compromise the entire system. ___________ WorkAround | =========== The Admin has the capabilities to create and a "Email-Template" that would be stored in the directory: /templates/emails/ Since the module doesn't have any file type validation the admin can upload any arbitrary file type, so a remote attacker can gain access by just leading the (already logged-in) admin to and a specially crafted (malicious) website that truth a Cross-site Request Forgery make the admin automatically create a email template. This could lead to a remote attacker to gain access and further more compromise the entire system. ________________ Proof Of Concept| ================ ChX Security will not release any proof of concept. ____________ Solution/Fix| ============ By the moment there is no official solution provided by the vendor(s)... ChX Security encourages to the website admins to just stay logged-in only the necessary time and keep logged-off at all time that you dont have to do any administration related task. ______ Dates | ====== Bug Found: 04/07/2007 Vendor Contact: --/--/-- Vendor Response: --/--/-- Public Disclosure: 06/07/2007 _______ Shouts | ======= g30rg3_x, musashi, patoruzu, elvispresley, skyline2412 (p1mp4m) ChX Security http://chxsecurity.org/ (c) 2007