WWBN AVideo Gallery Plugin Cross-Site Request Forgery Vulnerability Leading to Unauthenticated Remote Code Execution

A vulnerability in the WWBN AVideo Gallery plugin, affecting versions through 26.0, allows for cross-site request forgery (CSRF) attacks that can lead to unauthenticated remote code execution. The issue arises in the 'saveSort.json.php' endpoint, which directly passes unsanitized user input from the 'sections' array into PHP's 'eval()' function. Although the endpoint requires admin privileges, it lacks proper CSRF token validation. This vulnerability is exacerbated by AVideo's 'SameSite=None' session cookie policy, enabling attackers to exploit the flaw if they can lure an admin into visiting a malicious page.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, with the potential for a full server compromise. The executed code runs in the context of the web server user, and the attack can be completed quickly and discreetly, making it difficult for the targeted admin to notice anything amiss.

Reproduction

To reproduce this vulnerability, an attacker must create a webpage that includes an auto-submitting form. This form should be set to send a POST request to the 'saveSort.json.php' endpoint with the 'sections' parameter containing malicious PHP code. The admin must then be lured into visiting this page, which will trigger the CSRF attack by sending the request with the admin's session cookie, bypassing the admin check and executing the injected code on the server.

Remediation

Users can update to the patched version of the AVideo Gallery plugin, which is available on the official GitHub repository. The latest version includes the necessary input validation and CSRF protection. For those who cannot update immediately, consider disabling the Gallery plugin or implementing manual CSRF protections.