CVE-2019-5129
📋 TL;DR
CVE-2019-5129 is an unauthenticated command injection vulnerability in YouPHPTube Encoder plugin that allows attackers to execute arbitrary commands on the server. This affects YouPHPTube Encoder 2.3 installations, potentially compromising the entire server. Attackers can exploit this remotely without authentication.
💻 Affected Systems
- YouPHPTube Encoder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Server takeover with web shell installation, data exfiltration, and use as pivot point for further attacks.
If Mitigated
Attack blocked at network perimeter or detected before significant damage occurs.
🎯 Exploit Status
Simple HTTP POST request with crafted base64Url parameter can execute commands. Exploit code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest YouPHPTube Encoder version or remove vulnerable plugin
Vendor Advisory: https://github.com/YouPHPTube/YouPHPTube-Encoder/issues
Restart Required: No
Instructions:
1. Remove or disable the YouPHPTube Encoder 2.3 plugin. 2. Check for updated versions from official sources. 3. If no patch available, implement workarounds.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web server configuration to block access to /objects/getSpiritsFromVideo.php
# Apache: RewriteEngine On
RewriteRule ^objects/getSpiritsFromVideo\.php$ - [F,L]
# Nginx: location ~ ^/objects/getSpiritsFromVideo\.php$ { return 403; }
Input validation WAF rule
allAdd web application firewall rule to block malicious base64Url parameter values
# ModSecurity rule:
SecRule ARGS:base64Url "@rx [;&|`$()]" "id:1001,phase:2,deny,status:403,msg:'Command injection attempt'"
# Cloudflare WAF: Create rule blocking patterns containing shell metacharacters in base64Url parameter
🧯 If You Can't Patch
- Network segmentation: Isolate affected server from critical systems
- Implement strict egress filtering to limit outbound connections from vulnerable server
🔍 How to Verify
Check if Vulnerable:
Check if /objects/getSpiritsFromVideo.php exists and YouPHPTube Encoder 2.3 is installed. Test with harmless command injection payload: curl -X POST 'http://target/objects/getSpiritsFromVideo.php' -d 'base64Url=test;echo+vulnerable'Check Version:
Check plugin directory for version files or examine YouPHPTube plugin configurationVerify Fix Applied:
Verify the vulnerable file is removed/blocked and test with same payload returns error or is blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /objects/getSpiritsFromVideo.php with shell metacharacters in parameters
- Unusual process execution from web server user
- Multiple failed command injection attempts
Network Indicators:
- Outbound connections from web server to unusual destinations
- Large data exfiltration from server
SIEM Query:
source="web_logs" AND uri="/objects/getSpiritsFromVideo.php" AND (method="POST" OR params CONTAINS ";" OR params CONTAINS "|" OR params CONTAINS "`" OR params CONTAINS "$")