CVE-2021-26786

Vulnerability

PlayTube, a video sharing platform, contains a vulnerability in its installation script install/index.php. The script does not verify whether the application has already been installed, allowing an authenticated attacker to reinstall the application. During reinstallation, the attacker can supply a malicious purchase code that is written directly to config.php, enabling arbitrary PHP code execution [1]. Affected versions are not specified but include all versions prior to a fix.

Exploitation

An authenticated attacker accesses the install/index.php page. They submit the reinstallation form with a local database configuration to overwrite the administrator password. In the purchase code field, they inject PHP code (e.g., <?php system($_GET['cmd']); ?>). This code is then written to config.php and executed on the server [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the web server, leading to full remote code execution (RCE). The attacker can also change the administrator password, gaining persistent administrative access to the PlayTube instance.

Mitigation

As of the publication date, no official patch has been released. The vendor should implement a check in install/index.php to prevent reinstallation if the application is already configured. Users should restrict access to the installation script and monitor for unauthorized reinstallation attempts.