GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Tech IMPORTANT! Multiple TubeX Security Vulnerabilities

AdultKing · 09-05-2016, 12:09 PM

As some of you will know I updated TGPX to be compatible with later versions of PHP

https://github.com/rjkmelb/TGPX-Updated

People are using this version with good results.

Several people asked that TubeX be updated, however the script is ancient and would require a lot of work to update, but more importantly there is a fundamental flaw in TubeX that opens up serious vulnerabilities if you are running it on PHP 5.5 or below. An additional more serious security vulnerability presents itself when using PHP 5.3.

For obvious reasons I'm not going to post the precise details of the way to exploit these but my advice to anyone using TubeX is to abandon TubeX as soon as possible.

The risks:

PHP 5.3

- Remote code execution which allows the attacker to run arbitrary code with the privileges of the user account on which TubeX is installed.

- SQL injection which allows the attacker to modify your database

- File system modification which allows the attacker to write files to the root directory of the TubeX installation including replacing files like .htaccess

- XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site

PHP 5.5

- SQL injection which allows the attacker to modify your database

- XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site (can be minimised see below)

THERE IS NOTHING THAT CAN BE DONE TO RECTIFY THESE ISSUES WITHOUT A MAJOR CODE UPDATE!

If you are running Apache with PHP 5.5 the following code should be added to the top of your .htaccess file

Code:

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options nosniff
</IfModule>

However if you are running PHP 5.3 you should remove TubeX from your system.

I know that there are several forums on which people are maintaining JMB Software scripts however TubeX is beyond hope IMHO. It's dangerous to have on your system if you are running PHP 5.3 and risky to have on your system if you are running PHP 5.5

Note: I have NOT tested these issues on PHP 5.6 and don't intend to.

09-05-2016, 12:09 PM
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,605	IMPORTANT! Multiple TubeX Security Vulnerabilities As some of you will know I updated TGPX to be compatible with later versions of PHP https://github.com/rjkmelb/TGPX-Updated People are using this version with good results. Several people asked that TubeX be updated, however the script is ancient and would require a lot of work to update, but more importantly there is a fundamental flaw in TubeX that opens up serious vulnerabilities if you are running it on PHP 5.5 or below. An additional more serious security vulnerability presents itself when using PHP 5.3. For obvious reasons I'm not going to post the precise details of the way to exploit these but my advice to anyone using TubeX is to abandon TubeX as soon as possible. The risks: PHP 5.3 - Remote code execution which allows the attacker to run arbitrary code with the privileges of the user account on which TubeX is installed. - SQL injection which allows the attacker to modify your database - File system modification which allows the attacker to write files to the root directory of the TubeX installation including replacing files like .htaccess - XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site PHP 5.5 - SQL injection which allows the attacker to modify your database - XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site (can be minimised see below) THERE IS NOTHING THAT CAN BE DONE TO RECTIFY THESE ISSUES WITHOUT A MAJOR CODE UPDATE! If you are running Apache with PHP 5.5 the following code should be added to the top of your .htaccess file Code: <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff </IfModule> However if you are running PHP 5.3 you should remove TubeX from your system. I know that there are several forums on which people are maintaining JMB Software scripts however TubeX is beyond hope IMHO. It's dangerous to have on your system if you are running PHP 5.3 and risky to have on your system if you are running PHP 5.5 Note: I have NOT tested these issues on PHP 5.6 and don't intend to.