WWBN AVideo CustomizeUser Plugin Password Management Vulnerability in Channel Password Bypass

A vulnerability in the WWBN AVideo platform, specifically in versions prior to 26.0, allows administrators to unintentionally set a channel password of '0' for any user. This issue arises in the CustomizeUser plugin's 'setPassword.json.php' endpoint, where passwords containing non-numeric characters are coerced to zero before being saved. As a result, any visitor can easily guess the password to bypass channel-level access controls. The vulnerability is caused by a logic error in how password values are processed, with the 'ProfilePassword' parameter being converted to an integer instead of being treated as a string. Exploitation involves an admin setting a password through the affected endpoint, which is then stored as '0', allowing unauthorized access to the corresponding channel.

Impact

This vulnerability allows any administrator to set a channel password that is effectively '0', bypassing password protections and granting access to unauthorized users. While it does not lead to account takeover or privilege escalation, it renders the channel password feature useless for non-numeric passwords, breaking the intended access controls.

Reproduction

To reproduce this vulnerability, an administrator can log into the AVideo platform and navigate to the 'setPassword.json.php' endpoint within the CustomizeUser plugin. When setting a channel password, any non-numeric string will be silently converted to '0' before being saved. After the password is set, any visitor can access the channel by entering '0' as the password, successfully bypassing the channel's access controls.

Remediation

Users can update to AVideo version 26.0 or later, where this vulnerability has been patched.