CVE-2021-47750 Overview
CVE-2021-47750 is a Cross-Site Scripting (XSS) vulnerability affecting YouPHPTube versions 7.8 and earlier. This vulnerability allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page.
Critical Impact
Successful exploitation enables attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or phishing attacks against users of vulnerable YouPHPTube installations.
Affected Products
- YouPHPTube versions 7.8 and earlier
- YouPHPTube signup page functionality
- Self-hosted video streaming platforms using vulnerable YouPHPTube versions
Discovery Timeline
- 2026-01-13 - CVE CVE-2021-47750 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2021-47750
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the signup page functionality of YouPHPTube, where the redirectUri parameter is not properly sanitized before being reflected in the page output.
When a user visits a specially crafted signup URL, the malicious payload embedded in the redirectUri parameter is executed in the context of the victim's browser session. This allows attackers to perform various malicious actions including stealing session cookies, redirecting users to phishing pages, or performing actions on behalf of authenticated users.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding on the redirectUri parameter within the YouPHPTube signup page. The application fails to properly sanitize user-supplied input before rendering it in the HTML response, allowing script tags and other malicious content to be executed in the browser.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious URL containing JavaScript code in the redirectUri parameter
- Distributing this URL to potential victims through social engineering methods such as phishing emails, social media posts, or compromised websites
- When a victim clicks the link and visits the signup page, the malicious script executes in their browser context
The vulnerability can be exploited without authentication, though it does require the victim to click on the malicious link. Technical details and proof-of-concept information can be found in the Exploit-DB #51101 and the VulnCheck YouPHPTube Advisory.
Detection Methods for CVE-2021-47750
Indicators of Compromise
- Unusual URL patterns in web server logs containing encoded script tags or JavaScript in the redirectUri parameter
- Login page requests with suspicious query strings containing <script>, javascript:, or event handlers like onerror or onload
- Reports from users about unexpected browser behavior or suspicious redirects after visiting signup pages
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS patterns in URL parameters
- Monitor web server access logs for requests to the signup page containing suspicious encoded characters or script-related keywords
- Deploy browser-based XSS detection mechanisms and Content Security Policy (CSP) headers to mitigate script injection attempts
- Use security scanning tools to identify vulnerable YouPHPTube installations in your environment
Monitoring Recommendations
- Enable verbose logging on web servers hosting YouPHPTube to capture full query strings
- Set up alerts for anomalous patterns in the redirectUri parameter values
- Monitor for CSP violation reports that may indicate XSS exploitation attempts
- Review referrer logs for suspicious external sources linking to your signup page
How to Mitigate CVE-2021-47750
Immediate Actions Required
- Upgrade YouPHPTube to the latest available version that addresses this vulnerability
- Implement input validation on the redirectUri parameter to only accept whitelisted redirect destinations
- Deploy Content Security Policy (CSP) headers to restrict script execution sources
- Consider temporarily disabling the signup page redirect functionality until a patch is applied
Patch Information
Administrators should review the VulnCheck YouPHPTube Advisory for specific patch and upgrade information. For historical reference, archived information about the product can be found at the Web Archive YouPHPTube Snapshot.
Workarounds
- Implement a strict allowlist for the redirectUri parameter, only permitting redirects to known-safe internal URLs
- Add output encoding for all user-controlled parameters rendered in HTML responses
- Deploy a Web Application Firewall (WAF) with XSS protection rules enabled
- Implement Content Security Policy headers with script-src 'self' to prevent inline script execution
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or httpd.conf
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
