Nuevolabs Nuevoplayer For Clipshare SQL Injection

`Nuevolabs Nuevoplayer for clipshare SQL Injection  
=======================================================================  
  
:: ADVISORY SUMMARY ::  
Title: Nuevolabs Nuevoplayer for clipshare Sql Injection  
Vendor: NUEVOLABS (www.nuevolabs.com)  
Product: NUEVOPLAYER for clipshare  
Credits: Cory Marsh - protectlogic.com  
Discovery: 2014-10-10  
Release: 2014-10-28  
  
Nueovplayer is a popular flash video player with integration into multiple popular video sharing suites. The most notable is Clipshare (clip-share.com). Nuevoplayer provides flash video playing capabilities to third party video sharing suites.  
  
  
:: VULNERABILITY ::  
Type: SQL Injection and Privilege Escalation  
Category: Remote  
Severity: High  
CVSS2: 7.7  
CVSS2: (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:TF/RC:C)  
CVE-ID: CVE-2014-8339  
  
  
:: AFFECTED PRODUCT VERSIONS ::  
NUEVOLABS NUEVOPLAYER for clipshare version 8.0 and possibly earlier.  
  
nuevolabs.com  
clip-share.com  
  
  
:: VULNERABILITY DETAILS ::  
A sql injection vulnerability in nuevo player midroll feature with integration for clipshare allows remote attackers to read any information in the effected mysql database. Midrolls allow sites to insert ads or "midrolls" into videos during playback.  
  
Because clipshare stores the administrator password in the database this leads to full comprise of the effected clipshare system.   
  
  
:: SOLUTION ::  
Vendor is not providing patches for effected customers.  
  
If the site does NOT use midrolls, you can simply delete midroll.php to protect yourself. If you wish to patch the issue, you can apply this patch to midroll.php which wraps the $ch variable in a intval() function on line 29 of midroll.php:  
line 29: 'channel = '.$ch.  
becomes: 'channel = '.intval($ch).  
  
------------------- CUT HERE -------------------  
--- midroll.php 2014-10-16 21:02:36.077663202 -0600  
+++ midroll-patched.php 2014-10-16 21:02:02.197662566 -0600  
@@ -26,7 +26,7 @@  
  
$chans = explode("|",$channel);  
foreach($chans as $ch) {  
- if(!$ch=='0') { $add.='channel = '.$ch.' OR '; }  
+ if(!$ch=='0') { $add.='channel = '.intval($ch).' OR '; }  
}  
$add =trim($add); $add=trim($add,'OR');$add=trim($add);  
------------------- CUT HERE -------------------  
  
To apply the patch, copy paste this to a new file (midroll.patch for example), upload this file to your server and apply the patch with the command: patch /path/to/midroll.php < /path/to/midroll.patch  
eg:  
$ cp midroll.php /var/www/site/nuevo/midroll.patch  
$ cd /var/www/site/nuevo  
$ patch midroll.php < midroll.patch  
  
  
:: DISCLOSURE ::  
  
2014-10-15 initial vendor contact - no response  
2014-10-21 CVE requested  
2014-10-23 CVE assigned, vendor contact - no response  
2014-10-24 posted to vendor forum - no respsone  
2014-10-25 fourth vendor contact - no response  
2014-10-26 vendor deletes post and suspends account  
2014-10-29 public disclosure  
  
  
:: DISCLAIMER ::  
  
THE INFORMATION PRESENTED HEREIN ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.  
`