YouPHPTube 7.4 – Remote Code Execution Sep 2019

Preface: As time goes by, youth not familiar with TV at home. Obviously the online video is the new generation of choice.

Product background: With YouPHPTube you can create your own video sharing site, YouPHPTube will help you import and encode videos from other sites like Youtube, Vimeo, etc. and you can share directly on your website.

Vulnerability details: A design weakness was found before version 7.5. The machanism doesn’t checks if someone wanna generate a new config file. So the attacker can exploit on this flaw then generate his own config file with malicious code. As a result, the visitor do not know they already connect to a compromised server.

Remedy: Be reminded that you should remove the “/var/www/YouPHPTube/install/” directory after YouPHPTube installation.