cbcvebase.
CVE-2019-5127
published 2019-10-25

CVE-2019-5127: A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.30%
98.6th percentile
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.

Affected

1 ranges
VendorProductVersion rangeFixed in
youphptubeyouphptube_encoder

Detection & IOCsextracted from sources · hover to see the quote

path/objects/getImage.php
path/objects/getImageMP4.php
path/objects/getSpiritsFromVideo.php
command`id > {{filename}}.txt`
  • Monitor HTTP GET requests to /objects/getImage.php, /objects/getImageMP4.php, and /objects/getSpiritsFromVideo.php containing a base64Url parameter — the base64-decoded value of that parameter should be inspected for shell metacharacters (backticks, semicolons, pipes, etc.) indicating command injection.
  • A successful exploitation attempt will cause the server to write a file (e.g., a .txt file) to the web root and return its contents with a plain-text Content-Type header and HTTP 200. Detect by correlating a GET to the three vulnerable PHP endpoints followed by a GET to a short-named .txt file under /objects/, with the response body matching uid=[0-9]+.*gid=[0-9]+.*
  • The vulnerability is unauthenticated — no session cookie or authentication header is required. Alert on any unauthenticated access to the three vulnerable endpoints from external IP addresses.
  • ·The Nuclei template uses a randomly generated lowercase alpha filename (5 chars) for the out-of-band write probe, so the exact filename will vary per scan run and cannot be used as a static IOC.
  • ·The injected payload is base64-encoded before being placed in the base64Url query parameter; WAF/IDS rules must base64-decode the parameter value before inspecting it for shell metacharacters.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.