CVE-2019-5129
published 2019-10-25CVE-2019-5129: A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.53%
98.4th percentile
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| youphptube | youphptube_encoder | — | — |
| youphptube | youphptube_encoder | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/objects/getSpiritsFromVideo.php?base64Url={{payload}}&format=jpg
commandpayload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'
- →Monitor HTTP GET requests to /objects/getSpiritsFromVideo.php and /objects/getImageMP4.php with a base64Url parameter; base64-decoded values containing backtick-wrapped shell commands (e.g., `id > file.txt`) indicate active exploitation.
- →The exploit writes command output (e.g., `id`) to a randomly named .txt file under /objects/; subsequent GET requests to /objects/<random>.txt retrieving uid/gid output confirm successful RCE.
- →Response body containing the pattern uid=[0-9]+.*gid=[0-9]+.* from a file served under /objects/ is a strong indicator of successful command injection exploitation.
- →The attack is unauthenticated; no session cookie or authentication header is required. Any request to the vulnerable endpoints from an unauthenticated source should be treated as suspicious.
- →FOFA fingerprint icon_hash="-276846707" can be used to identify exposed YouPHPTube Encoder instances on the internet for proactive scanning.
- ·The vulnerable parameter 'base64Url' accepts a base64-encoded value; the injected payload wraps shell commands in backticks (e.g., `id > file.txt`), meaning WAF/IDS rules must decode base64 before matching command injection patterns.
- ·Both /objects/getSpiritsFromVideo.php and /objects/getImageMP4.php are independently vulnerable; detection and blocking rules must cover both endpoints.
- ·The output file name used in exploitation is randomized (rand_text_alpha(4).txt), so static filename-based detection will not catch all exploitation attempts; focus on the base64Url parameter content instead.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6fx6-xpxg-p8v7: A command injection have been found in YouPHPTube Encoder
ghsa_unreviewed·2022-05-24
CVE-2019-5129 [CRITICAL] CWE-78 GHSA-6fx6-xpxg-p8v7: A command injection have been found in YouPHPTube Encoder
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack.
VulnCheck
youphptube youphptube_encoder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-5129 [CRITICAL] youphptube youphptube_encoder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
youphptube youphptube_encoder Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack.
Affected: youphptube youphptube_encoder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=202
No detection rules found.
Nuclei
YouPHPTube Encoder 2.3 - Command Injection
nuclei·CVSS 9.8
CVE-2019-5129 [CRITICAL] YouPHPTube Encoder 2.3 - Command Injection
YouPHPTube Encoder 2.3 - Command Injection
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
Template:
id: CVE-2019-5129
info:
name: YouPHPTube Encoder 2.3 - Command Injection
author: pussycat0x
severity: critical
description: |
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
impact: |
Unauthenticated attackers can execute arbitrary system commands through command injection, leading to complete server compromise and pote
Talos
Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
blogs_talos·2019-10-17·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities.
YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these
vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.
In accordance with our coordinated disclosure pol
Talos
Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
blogs_talos·2019-10-17·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
## Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube
Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities.
YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these
vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying
2019-10-25
Published
Exploited in the wild