WWBN AVideo Unauthenticated Application Takeover Vulnerability in the Installer Endpoint

A vulnerability in WWBN AVideo versions through 25.0 allows for unauthenticated application takeover via the install/checkConfiguration.php endpoint. This endpoint executes full application initialization, including database setup, admin account creation, and configuration file writing, all based on unauthenticated POST data. The only protection in place is a check for the existence of videos/configuration.php. On uninitialized deployments, a remote attacker can exploit this by sending POST requests with their own credentials and database information, thereby gaining full administrative access. This vulnerability has been patched in version 26.0.

Impact

Exploitation of this vulnerability leads to complete administrative control over the AVideo application. The attacker can manipulate all application data and, if their own database is used, exfiltrate user data such as registrations, uploads, and comments. Additionally, with admin access, the attacker can upload files and manage plugins, potentially executing arbitrary PHP code. The vulnerability also introduces a SQL injection risk, as demonstrated by the handling of the contactEmail parameter.

Reproduction

To reproduce this vulnerability, first ensure that the AVideo application is in an uninitialized state, meaning that the videos/configuration.php file does not exist. Then, send a POST request to the /install/checkConfiguration.php endpoint with the required parameters, including databaseHost, databaseUser, databasePass, contactEmail, systemAdminPass, webSiteTitle, mainLanguage, and webSiteRootURL. The request can be made using a tool like curl. Once the request is processed, the application will be initialized with the provided data, and the attacker can log in as the admin user with the specified password.

Remediation

Users can upgrade to AVideo version 26.0 or later, where this vulnerability has been fixed.