WWBN AVideo CORS Vulnerability Allowing Session Theft and Account Takeover

A vulnerability in WWBN AVideo versions through 25.0 allows for cross-origin session theft and account takeover. The issue arises in the 'phpsessionid.json.php' endpoint, which exposes the PHP session ID to any unauthenticated request. This is made possible by the 'allowOrigin()' function, which reflects the Origin header back with 'Access-Control-Allow-Origin' and 'Access-Control-Allow-Credentials: true'. As a result, an attacker can steal the session ID of a logged-in user, including administrators, by having them visit an attacker-controlled page.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate a user with full privileges, including administrative rights.

Reproduction

To reproduce this vulnerability, send a credentialed request to the 'phpsessionid.json.php' endpoint. The response will include the session ID, which can be used to hijack the user's session. This can be automated with a script that fetches the session ID and sends it to an attacker-controlled server.

Remediation

Users can update to AVideo version 26.0 or later, where this vulnerability has been fixed.