Impact Analysis

This vulnerability can have severe impacts including a complete takeover of the platform's functionality. An attacker can overwrite arbitrary plugin settings, which may allow them to reconfigure payment processors, authentication providers, and cloud storage credentials.

Such control could lead to unauthorized access, financial fraud, data breaches, and disruption of services, severely compromising the security and integrity of the platform.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects WWBN AVideo, an open source video platform, specifically versions 26.0 and prior. The issue lies in the admin plugin configuration endpoint (admin/save.json.php), which does not validate CSRF tokens. There is no verification using isGlobalTokenValid() or verifyToken() before processing requests. Because the application uses a SameSite=None cookie policy, an attacker can craft cross-origin POST requests from a malicious website to overwrite plugin settings in an administrator's session.

Additionally, the plugins table is excluded from standard table-level access controls, allowing attackers to bypass security checks. This enables an attacker to take over platform functionality by changing critical settings such as payment processors, authentication providers, and cloud storage credentials.

At the time of publication, no public patches are available to fix this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on limiting exposure and risk.

• Restrict access to the admin plugin configuration endpoint (admin/save.json.php) to trusted IP addresses or networks only.
• Implement additional CSRF protections at the web server or application firewall level to block cross-origin POST requests targeting the vulnerable endpoint.
• Monitor administrative sessions for unusual activity or unexpected changes in plugin configurations.
• Consider temporarily disabling the admin plugin or the affected configuration endpoint if feasible until a patch is available.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the admin plugin configuration endpoint (admin/save.json.php) accepts POST requests without requiring a valid CSRF token.

One way to test this is to send a crafted POST request to the endpoint with arbitrary plugin configuration parameters and observe if the request is processed without CSRF token validation.

For example, you can use the following curl command to test the endpoint (replace URL and parameters accordingly):

• curl -X POST -b "PHPSESSID=your_admin_session_cookie" -d "pluginName=attacker_plugin&pluginValue=malicious_value" https://your-avideo-instance/admin/save.json.php

If the request succeeds and plugin settings are changed without a CSRF token, the system is vulnerable.

Additionally, reviewing the source code of admin/save.json.php to verify the absence of calls to isGlobalTokenValid() or verifyToken() before processing POST requests can confirm the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to take over platform functionality by reconfiguring critical settings such as payment processors, authentication providers, and cloud storage credentials. This could lead to unauthorized access and manipulation of sensitive data.

Such unauthorized access and control could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Useful 0 Not Useful 0