WWBN AVideo Unauthenticated Blind SQL Injection Vulnerability in RTMP on_publish Callback

A blind SQL injection vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the RTMP on_publish callback within plugin/Live/on_publish.php, which is accessible without authentication. The vulnerability is triggered by the stream key parameter, $_POST['name'], which is directly inserted into SQL queries in LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() without proper sanitization or parameterization. This flaw allows an unauthenticated attacker to exploit time-based blind SQL injection, potentially leading to the extraction of sensitive database information such as user password hashes, email addresses, and other personal data.

Impact

Exploitation of this vulnerability allows for unauthenticated blind SQL injection, enabling attackers to extract all database contents, including user password hashes, email addresses, and sensitive configuration data. Additionally, extracted password hashes can be used to authenticate as any user in the streaming system, allowing for impersonation and unauthorized access to user accounts.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'plugin/Live/on_publish.php' with a crafted stream key parameter that exploits the SQL injection flaw. This can be done using a tool like curl, targeting the RTMP on_publish callback. The injection can be verified by observing a delayed response time, indicating successful exploitation.

Remediation

Users are advised to update to the patched version of WWBN AVideo, where this vulnerability has been addressed by implementing parameterized queries in the affected functions. Instructions for updating can be found in the AVideo repository.