Multiple SQL injection vulnerabilities were found in ClipBucket, free and opensource video sharing script. Full details of vulnerabilities with Proof-of-Concept examples are available on High-Tech Bridge Security Research Lab's page: High-Tech Bridge Advisory HTB23125: Multiple SQL Injection vulnerabilities in ClipBucket.
Vulnerable scripts list: "ajax.php", "/user_contacts.php", "/view_channel.php", "view_page.php", "view_topic.php", "/watch_video.php".As noticed on researcher's page, some of this vulnerabilities were described early for previous versions of ClipBucket, however they were not fixed in the tested version (2.6 Revision 738).
Now solution is available: apply CB SQL Injection Fix 11282012 patch or upgrade to ClipBucket 2.6 r738 with security fixes (clipbucket-2.6-r738-security-fixed-p2). This files are available in download area of ClipBucket's SourceForge page.
No comments:
Post a Comment