CVE-2014-8399 SQL Injection in NuevoLabs flash player for clipshare

[research () protectlogic com]

Nuevolabs Nuevoplayer for clipshare SQL Injection
=======================================================================

:: ADVISORY SUMMARY ::
Title:     Nuevolabs Nuevoplayer for clipshare Sql Injection
Vendor:    NUEVOLABS (www.nuevolabs.com)
Product:   NUEVOPLAYER for clipshare
Credits:   Cory Marsh - protectlogic.com
Discovery: 2014-10-10
Release:   2014-10-28

Nueovplayer is a popular flash video player with integration into multiple popular video sharing suites.  The most 
notable is Clipshare (clip-share.com).  Nuevoplayer provides flash video playing capabilities to third party video 
sharing suites.


:: VULNERABILITY ::
Type:     SQL Injection and Privilege Escalation
Category: Remote
Severity: High
CVSS2:    7.7
CVSS2:    (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:TF/RC:C)
CVE-ID:   CVE-2014-8339


:: AFFECTED PRODUCT VERSIONS ::
NUEVOLABS NUEVOPLAYER for clipshare version 8.0 and possibly earlier.

nuevolabs.com
clip-share.com


:: VULNERABILITY DETAILS ::
A sql injection vulnerability in nuevo player midroll feature with integration for clipshare allows remote attackers to 
read any information in the effected mysql database.  Midrolls allow sites to insert ads or "midrolls" into videos 
during playback.

Because clipshare stores the administrator password in the database this leads to full comprise of the effected 
clipshare system. 


:: SOLUTION ::
Vendor is not providing patches for effected customers.

If the site does NOT use midrolls, you can simply delete midroll.php to protect yourself.  If you wish to patch the 
issue, you can apply this patch to midroll.php which wraps the $ch variable in a intval() function on line 29 of 
midroll.php:
line 29: 'channel = '.$ch.
becomes: 'channel = '.intval($ch).

------------------- CUT HERE -------------------
--- midroll.php 2014-10-16 21:02:36.077663202 -0600
+++ midroll-patched.php 2014-10-16 21:02:02.197662566 -0600
@@ -26,7 +26,7 @@
    
    $chans = explode("|",$channel);
    foreach($chans as $ch) {
-       if(!$ch=='0') { $add.='channel = '.$ch.' OR '; }
+       if(!$ch=='0') { $add.='channel = '.intval($ch).' OR '; }
    }
    $add =trim($add); $add=trim($add,'OR');$add=trim($add);
------------------- CUT HERE -------------------

To apply the patch, copy paste this to a new file (midroll.patch for example), upload this file to your server and 
apply the patch with the command: patch /path/to/midroll.php < /path/to/midroll.patch
eg:
$ cp midroll.php /var/www/site/nuevo/midroll.patch
$ cd /var/www/site/nuevo
$ patch midroll.php < midroll.patch


:: DISCLOSURE ::

2014-10-15 initial vendor contact        - no response
2014-10-21 CVE requested
2014-10-23 CVE assigned, vendor contact  - no response
2014-10-24 posted to vendor forum        - no respsone
2014-10-25 fourth vendor contact         - no response
2014-10-26 vendor deletes post and suspends account
2014-10-29 public disclosure


:: DISCLAIMER ::

THE INFORMATION PRESENTED HEREIN ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, 
INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR 
WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE 
PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT 
THE USER'S OWN RISK.