WWBN AVideo Remote Code Execution Vulnerability via CSRF Exploit in Plugin Upload Endpoint

A remote code execution vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'objects/pluginImport.json.php' endpoint, which allows admin users to upload and install plugins. This endpoint lacks Cross-Site Request Forgery (CSRF) protection. Additionally, the application sets 'session.cookie_samesite' to 'None' for HTTPS connections, enabling an unauthenticated attacker to exploit this vulnerability. By crafting a page that an authenticated admin visits, the attacker can upload a malicious plugin containing a PHP web shell, thereby executing arbitrary code on the server. The vulnerability exploitation takes advantage of the absence of CSRF token validation and the permissive SameSite cookie policy, allowing the attack to bypass Cross-Origin Resource Sharing (CORS) restrictions and execute the web shell with the same privileges as the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user, typically 'www-data'. This could lead to a full server compromise, as the attacker could access the database, exfiltrate data, move laterally within the network, and escalate privileges.

Reproduction

To reproduce this vulnerability, first create a ZIP file containing a malicious plugin. The plugin must include a PHP file that acts as a web shell. Once the ZIP file is prepared, host it in a way that it can be fetched by a crafted web page. This page should be designed to exploit the CSRF vulnerability by uploading the malicious plugin to the AVideo instance via the 'objects/pluginImport.json.php' endpoint. The final step is to have an authenticated admin user visit the crafted page, which will trigger the upload and execution of the web shell.

Remediation

To address this vulnerability, add CSRF token validation to the 'objects/pluginImport.json.php' endpoint. Update the plugin upload form in 'view/managerPluginUpload.php' to include the CSRF token, and consider changing the SameSite cookie attribute from 'None' to 'Lax' unless cross-origin cookie inclusion is explicitly required.