Executive Summary

This vulnerability affects WWBN AVideo, an open source video platform, in versions 29.0 and prior. Multiple JSON endpoints under the "objects/" path accept state-changing requests via $_REQUEST or $_GET without any anti-CSRF token, origin check, or referer check. This means that a malicious webpage visited by a logged-in user can perform actions on behalf of that user without their consent.

• The attacker can flip the victim's like or dislike on any comment.
• The attacker can post a comment authored by the victim with attacker-chosen text on any video.
• If the victim has category management rights, the attacker can delete assets from any category.

Exploitation only requires the victim to load an attacker-controlled HTML resource, such as an image tag or form submission, making it easy to exploit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf if you are logged into the affected AVideo platform.

• Attackers can manipulate your interactions, such as changing likes or dislikes on comments.
• Attackers can post comments using your account, potentially damaging your reputation or spreading misinformation.
• If you have category management rights, attackers can delete assets, leading to data loss.

Overall, this can lead to loss of control over your account actions and potential damage to content integrity.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix, specifically after commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c.

Since the vulnerability arises from missing anti-CSRF tokens and origin/referer checks on state-changing JSON endpoints, ensure that your deployment includes proper CSRF protections and origin validation.

Additionally, educate users to avoid visiting untrusted or attacker-controlled web pages while logged into the AVideo platform to reduce risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to perform unauthorized state-changing actions on behalf of authenticated users without their consent, such as altering likes/dislikes, posting comments, or deleting assets. This lack of proper authorization and anti-CSRF protections could lead to unauthorized data manipulation and potential data integrity issues.

Such unauthorized actions may impact compliance with standards like GDPR and HIPAA, which require ensuring data integrity, user consent, and protection against unauthorized access or modification of personal data. However, the provided information does not explicitly detail the direct compliance impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP GET requests targeting the affected JSON endpoints under the objects/ directory in AVideo versions up to 29.0. Specifically, look for cross-origin requests that perform state-changing actions without proper CSRF tokens or origin checks.

You can use network traffic inspection tools or web server logs to identify requests to the following endpoints with query parameters that may indicate exploitation attempts:

• objects/comments_like.json.php (e.g., requests with comments_id parameter)
• objects/commentAddNew.json.php (e.g., requests with parameters for posting comments)
• objects/categoryDeleteAssets.json.php (e.g., requests attempting asset deletion)

Example commands to detect such requests in web server logs (assuming Apache logs in access.log):

• grep 'GET /objects/comments_like.json.php' /var/log/apache2/access.log
• grep 'GET /objects/commentAddNew.json.php' /var/log/apache2/access.log
• grep 'GET /objects/categoryDeleteAssets.json.php' /var/log/apache2/access.log

Additionally, monitoring for cross-origin requests with suspicious Referer or Origin headers or absence thereof can help detect exploitation attempts.

Useful 0 Not Useful 0