WWBN AVideo Session Fixation Vulnerability via GET PHPSESSID Parameter

A session fixation vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises because the `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter, which are then set as the active PHP session. This vulnerability is compounded by a session regeneration bypass for certain blacklisted endpoints when the request comes from the same domain. With session regeneration disabled in the `User::login()` function`, an attacker can exploit this vulnerability by fixing a victim's session ID before authentication and subsequently hijacking the authenticated session.

Impact

Exploitation of this vulnerability allows for full account takeover, enabling an attacker to hijack any user's authenticated session, including those of administrators. This grants access to the victim's videos, private content, messages, and personal information. If the victim is an admin, the attacker gains full administrative control over the AVideo instance.

Reproduction

To reproduce this vulnerability, an attacker first obtains a valid session ID by visiting the site and extracting the session ID from the `Set-Cookie` header. The attacker then injects a link containing this session ID into a comment or description on the platform. When a victim clicks the link, the AVideo domain's Referer header allows the attacker's session ID to be set as the active session. The victim can then log in, unknowingly using the fixed session ID, which the attacker can hijack.

Remediation

To address this vulnerability, session regeneration should be re-enabled on login. Additionally, the acceptance of GET-based session IDs should be removed or restricted, and the exposure of session IDs through the `phpsessionid.json.php` endpoint and the `session.js` global variable should be eliminated.