Video-on-demand platform urged to conduct full security audit

Numerous vulnerabilities in the ClipBucket video-sharing platform left web servers exposed to OS command injection, arbitrary file upload, and SQL injection, researchers have disclosed.

Ireland-based ClipBucket is an open-source media solution that allows individuals and organizations to create their own branded video-on-demand (VOD) platforms, similar to YouTube, Dailymotion, and Metacafe.

After digging around in the application’s source code, researchers from SEC Consult Vulnerability Lab found numerous critical security issues that could allow an attacker to fully compromise the web servers on which ClipBucket is installed.

“Any OS commands can be injected by an unauthenticated attacker,” the researchers warned in their advisory. “This is a serious vulnerability, as the chances for the system to be fully compromised is very high.”

The Vulnerability Lab team in Kuala Lumpur found that malicious files could be uploaded to web servers by an unauthenticated attacker.

“It is possible for an attacker to upload a script to issue operating system commands,” they stated. “This same vulnerability can also be exploited by an authenticated attacker with normal user privileges.”

In addition, an unauthenticated blind SQL injection flaw could enable an attacker to execute arbitrary SQL commands on the underlying MySQL server.

The platform provider has now patched the vulnerabilities, and users have been urged to install ClipBucket v4.0 immediately.

“ClipBucket has suffered from multiple critical security issues in the past, and it seems that previous issues have not been fixed throughout the source code but only for specific reported issues,” Johannes Greil, head of SEC Consult Vulnerability Lab, told The Daily Swig.

“The initial vendor response was fast, but the fixing process took longer than expected, as the reported vulnerabilities were not properly fixed.”

He added: “SEC Consult highly recommends that ClipBucket performs a thorough security audit by professionals to identify further potential security issues.”