WWBN AVideo Unauthenticated Password Hash Oracle Vulnerability in Versions Through 14.3

A vulnerability exists in WWBN AVideo, an open-source video platform, in versions 25.0 and below. The issue is located in the file 'objects/encryptPass.json.php', which is part of the application's password hashing mechanism. This endpoint allows any unauthenticated user to submit passwords and receive their hashed versions. This functionality can be exploited to accelerate offline password cracking efforts against leaked database hashes. The vulnerability arises because the hashing algorithm is exposed without authentication, and the default hashing method is weak and deterministic, allowing for easy reversal of passwords if hashes are obtained from the database.

Impact

The vulnerability significantly speeds up the process of cracking passwords by eliminating the need to reverse-engineer the hashing algorithm. The default hash chain, which combines MD5, Whirlpool, and SHA-1 without salt, is weak, enabling rapid cracking of passwords for an attacker with access to database hashes. Furthermore, this vulnerability discloses sensitive information about the application's cryptographic practices, including the hashing method and whether password salting is applied.

Reproduction

To reproduce this vulnerability, send a request to the 'objects/encryptPass.json.php' endpoint with a password parameter. The response will include the hashed version of the password, demonstrating the exposure of the hashing algorithm to unauthenticated users. This vulnerability can also be tested by comparing the hashes obtained from this endpoint with those extracted from the database, such as through SQL injection or backup file exposure.

Remediation

Users can upgrade to WWBN AVideo version 26.0 or later, where this vulnerability has been addressed.