Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33492 is a session fixation vulnerability in the WWBN AVideo platform (versions up to 26.0). The vulnerability arises because the platform's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter, allowing an attacker to set a victim's session ID before authentication."}, {'type': 'paragraph', 'content': 'Additionally, session ID regeneration is bypassed for certain blacklisted endpoints when requests come from the same domain, and session regeneration is explicitly disabled during user login. This combination allows an attacker to fix a session ID for a victim, who then logs in with that fixed session, enabling the attacker to hijack the authenticated session.'}, {'type': 'paragraph', 'content': 'Other factors worsening the issue include exposure of session IDs to same-origin JavaScript and lack of binding sessions to IP addresses or user agents, making session hijacking easier.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to full account takeover, including administrator accounts, allowing attackers to access private videos, messages, and personal data.

Attackers can escalate privileges and gain full administrative control, enabling them to perform any action as the victim, such as modifying content and changing settings.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for the presence of the PHPSESSID parameter in GET requests to the AVideo platform, especially if session IDs are being accepted via URL parameters instead of cookies.'}, {'type': 'paragraph', 'content': 'You can inspect HTTP requests to check if session IDs are being passed in URLs and if session regeneration is disabled on login or certain endpoints.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and grep or similar tools to filter for PHPSESSID in URLs.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'PHPSESSID='"}, {'type': 'list_item', 'content': "grep -r 'PHPSESSID' /path/to/avideo/logs/access.log"}, {'type': 'list_item', 'content': 'Review application logs or web server logs for GET requests containing PHPSESSID parameters.'}, {'type': 'paragraph', 'content': 'Additionally, checking the source code or runtime behavior to verify if session regeneration is disabled on login or blacklisted endpoints can help detect the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Re-enable session ID regeneration on user login by uncommenting or adding the call to _session_regenerate_id() in the User::login() function.
• Remove or restrict acceptance of session IDs via GET parameters (PHPSESSID) to prevent attackers from fixing session IDs through URLs.
• Eliminate exposure of session IDs to JavaScript by removing endpoints like objects/phpsessionid.json.php and avoiding storing session IDs in global JavaScript variables.
• Implement validation of session IDs to ensure they conform to expected formats before accepting them.

These steps prevent attackers from fixing session IDs before authentication and protect against session hijacking.

Useful 0 Not Useful 0