CVE-2021-47749 Overview
CVE-2021-47749 is a Local File Inclusion (LFI) vulnerability affecting YouPHPTube versions 7.8 and earlier. This vulnerability allows unauthenticated attackers to access arbitrary files on the server by manipulating the lang parameter in GET requests. By exploiting path traversal sequences in locale/function.php, attackers can include and view PHP files outside the intended directory, potentially exposing sensitive configuration data, credentials, and application source code.
Critical Impact
Unauthenticated attackers can read arbitrary files from the server filesystem, potentially exposing database credentials, API keys, and other sensitive configuration data without any authentication required.
Affected Products
- YouPHPTube version 7.8 and earlier
- YouPHPTube installations with accessible locale/function.php endpoint
- Self-hosted YouPHPTube video streaming platforms
Discovery Timeline
- 2026-01-13 - CVE CVE-2021-47749 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2021-47749
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw exists in the locale handling functionality of YouPHPTube, specifically within the locale/function.php file that processes language selection requests.
The application fails to properly sanitize user-supplied input in the lang parameter before using it to construct file paths for inclusion. This allows attackers to escape the intended locale directory by injecting directory traversal sequences (such as ../) into the parameter value. When the application processes these malicious requests, it includes files from arbitrary locations on the filesystem rather than legitimate language files.
Since the vulnerability requires no authentication, any remote attacker with network access to the YouPHPTube instance can exploit this flaw. The attack is straightforward to execute and requires minimal technical skill, making it particularly dangerous for exposed installations.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization in the locale/function.php file. The application directly incorporates user-controlled input from the lang GET parameter into file path operations without:
- Validating that the input contains only expected characters (alphanumeric, limited special characters)
- Stripping or blocking directory traversal sequences (../, ..\\)
- Implementing a whitelist of allowed language values
- Using realpath() or similar functions to canonicalize and validate the resulting path
Attack Vector
The attack is executed via the network with no authentication required. An attacker sends a crafted HTTP GET request to the vulnerable endpoint, manipulating the lang parameter to include directory traversal sequences. The malicious request causes the server to include arbitrary PHP files, exposing their contents to the attacker.
For example, an attacker might attempt to traverse from the locale directory to system configuration files or application configuration files containing database credentials. The attack exploits the trust placed in the lang parameter, which should only contain locale identifiers like en_US or pt_BR, but instead accepts malicious path traversal payloads.
Technical details and a proof-of-concept demonstrating this vulnerability are available in the Exploit-DB #51101 entry.
Detection Methods for CVE-2021-47749
Indicators of Compromise
- HTTP access logs containing requests to locale/function.php with ../ sequences in the lang parameter
- Unusual GET requests with encoded directory traversal patterns such as %2e%2e%2f or %2e%2e/
- Multiple rapid requests to locale endpoints from single IP addresses attempting various traversal depths
- Error logs showing file inclusion attempts for paths outside the locale directory
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in request parameters
- Configure intrusion detection systems (IDS) to alert on patterns matching lang=.. or URL-encoded equivalents in request URIs
- Deploy file integrity monitoring on sensitive configuration files to detect unauthorized access attempts
- Review web server access logs for requests containing directory traversal patterns targeting the locale functionality
Monitoring Recommendations
- Enable detailed logging for all requests to the YouPHPTube application, particularly the locale endpoint
- Set up automated alerting for any requests containing path traversal sequences in query parameters
- Monitor for unusual file access patterns on the server, especially access to configuration files from web processes
- Implement rate limiting on the locale endpoint to slow down automated exploitation attempts
How to Mitigate CVE-2021-47749
Immediate Actions Required
- If YouPHPTube is no longer in active use, consider decommissioning the application immediately
- Restrict network access to YouPHPTube installations using firewall rules or VPN requirements
- Implement a web application firewall (WAF) rule to block requests containing directory traversal sequences
- Review access logs to identify any past exploitation attempts and assess potential data exposure
Patch Information
YouPHPTube appears to be an archived/unmaintained project based on the archived project page. Organizations using this software should evaluate migration to actively maintained alternatives. For additional context and advisory information, refer to the VulnCheck Advisory.
Workarounds
- Implement strict input validation on the lang parameter to allow only alphanumeric characters and underscores
- Deploy ModSecurity or similar WAF with rules blocking path traversal patterns in query strings
- Use web server configuration to restrict access to the locale/function.php file or the entire locale directory
- Consider placing the application behind an authentication layer to prevent unauthenticated access
# Example ModSecurity rule to block path traversal attempts
SecRule ARGS "@contains ../" "id:100001,phase:2,deny,status:403,msg:'Path Traversal Attempt Blocked',log,auditlog"
SecRule ARGS "@rx \.\.[\\/]" "id:100002,phase:2,deny,status:403,msg:'Encoded Path Traversal Blocked',log,auditlog"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
