ClipBucket 2.0.6 XSS vulnerability

I believe I have found a vulnerability in ClipBucket 2.0.6 (haven’t tested with prior versions).

ClipBucket is an open source and free script that will let you start your own Video Sharing (Youtube Clone) website in matter of minutes, ClipBucket is fastest growing script with most video sharing websites and social networking features.
current version: 2.0.6

The script handling the search features is not sanitizing user input properly making it possible to produce XSS attacks.

Proof of Concept:

Use the search box of your ClipBucket 2.0.6 installation and Input:


This will produce an alert with contents of your cookie.

$search->key in search_result.php (line 18) is being directly assigned to the title of the search page without sanitizing its value first.

$search->key = $_GET['query'];

Open file search_result.php. Go to line 39:

Replace this:


By this:


The ClipBucket team was already notified and the bug was corrected. Either apply this patch or upgrade your version to 2.0.7

Fix autoplay of default ClipBucket flash player

Many of you have noticed that the default player (CB) does not autoplay movies. While some people suggested that there was a typo in the cbplayer.plug.php, changing autoload to autoload wasn’t enough.

I’ve disassembled the CB player to check which variables it was expecting and I found out that it wasn’t autoplay, but autoPlay.

So … in order to fix this issue, open player/cbplayer/cbplayer.plug.php. Locate :

$code	.= "settingsFile: \"".PLAYER_URL."/cbplayer/settings.php?hqid=".$vdata['videoid']."&amp;autplay=".$data['autoplay']."\"\n";
$code	.= "settingsFile: \"".PLAYER_URL."/cbplayer/settings.php?vid=".$vdata['videoid']."&amp;autplay=".$data['autoplay']."\"\n";

replace by :

$code	.= "settingsFile: \"".PLAYER_URL."/cbplayer/settings.php?hqid=".$vdata['videoid']."&amp;autoPlay=".$data['autoplay']."\"\n";
$code	.= "settingsFile: \"".PLAYER_URL."/cbplayer/settings.php?vid=".$vdata['videoid']."&amp;autoPlay=".$data['autoplay']."\"\n";

Part II

If you want to use autoplay under every pages except for index (eg. to disable autoplay of editor’s pick movies), add this little snippet :

Open the same file. Locate :

function cbplayer($data,$no_video=false)

Add below :

		$data['autoplay'] = 'false';

You shoud now be able to autoplay every video using the CB default player except for the ones on main page.:D

Google analytics MOD to ClipBucket.

Summary: with this mod you will be able to insert any script into your clipbucket. I’m using it to manage google analytics.

1st – Open styles/cbv2new/layout/global_header.html. Find:

<!-- Setting Template Variables -->
    	$_COOKIE['current_style'] = 'grid_view';

Add below:

<!-- Google Analytics -->;

2nd – includes/common.php. Find:


Add below:

$Smarty-&gt;register_function('show_analytics', 'show_analytics');

3rd – Open includes/functions.php. Find:

	 * Function used to load clipbucket title
	function cbtitle($params=false)

Add above:

	* Function used to load Google Analytics - me( at )
	function show_analytics()
		global $Cbucket;
		// code to convert html entities back useful code.
		echo base64_decode($Cbucket-&gt;configs['google_analytics']);

4th – Open admin_area/main.php. Find:


Add above:



	$value = mysql_clean($_POST[$field]);

Add above:

	if($field == 'google_analytics')
		$value = base64_encode($_POST['google_analytics']);

(the “else” MUST be in the line immediately above “$value = mysql_clean($_POST[$field]);”).

Finally, open /admin_area/styles/cbv2/layout/main.html. Find:

              <td valign="top">Meta Description</td>
              <td valign="top"><textarea name="description" id="description" cols="45" rows="5">{$row.description}</textarea></td>

Add below:

              <td valign="top">Google Analytics</td>
              <td valign="top"><textarea name="google_analytics" id="google_analytics" cols="45" rows="5">{$row.google_analytics|base64_decode|html_entity_decode}</textarea></td>

Done! You shoud see another option under Web Settings.

Tested under ClipBucket 2.0.6.

PS: I’m using base64_encode/decode because I want to save the script as its original values and I need to avoid using functions like mysql_clean() to sanitize the code. By saving it as a base64 string I avoid potential malicious SQL injection problems. I’m sure there are other ways of doing it but this works OK (I think :p).