Executive Summary

CVE-2021-47750 is a cross-site scripting (XSS) vulnerability in YouPHPTube versions up to 7.8. It occurs because the redirectUri parameter on the signup page is not properly sanitized, allowing attackers to inject malicious scripts. By crafting special signup URLs containing embedded script tags, attackers can execute arbitrary JavaScript in the browsers of users who visit these URLs. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who access the crafted signup URLs. This can lead to session hijacking, phishing attacks, or other malicious actions performed in the context of the victim's browser, potentially compromising user security and privacy. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the signup page's redirectUri parameter for reflected cross-site scripting (XSS). You can craft and visit URLs with script tags embedded in the redirectUri parameter to see if the script executes. For example, accessing a URL like: http://<your_youphptube_domain>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt> will trigger an alert box if vulnerable. Additionally, monitoring web server logs for suspicious signup URLs containing script tags in the redirectUri parameter can help detect exploitation attempts. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating YouPHPTube to a version later than 7.8 where this vulnerability is fixed. If an update is not possible, implement input validation and proper encoding/sanitization on the redirectUri parameter to prevent script injection. Additionally, restrict user input on the signup page and consider using web application firewalls (WAF) to block malicious requests containing script tags in parameters. Educate users to avoid clicking suspicious signup URLs. [1, 3]

Useful 0 Not Useful 0