WWBN AVideo Unauthenticated IDOR Vulnerability in PlaylistsVideos Endpoint Exposes Private Playlist Contents

A vulnerability exists in WWBN AVideo versions through 26.0, where the 'objects/playlistsVideos.json.php' endpoint allows unauthenticated access to the full video contents of any playlist by ID. This endpoint lacks authentication and authorization checks, enabling access to private playlists, including 'watch_later' and 'favorite' types, which are normally hidden from listing endpoints. The vulnerability arises because the endpoint directly retrieves playlist contents using the 'playlists_id' parameter without proper visibility validation, creating an indirect object reference vulnerability that can be exploited to access private user data.

Impact

Exploitation of this vulnerability allows an attacker to access and enumerate private playlist contents, including 'watch_later' and 'favorite' playlists, without authentication. This exposure includes detailed video metadata such as titles, filenames, URLs, user information, comments, and subscriber counts, leading to a privacy violation by revealing user viewing habits and content preferences.

Reproduction

To reproduce this vulnerability, send a request to the 'objects/playlistsVideos.json.php' endpoint with a 'playlists_id' parameter. This can be done without any authentication. The endpoint will return the video contents of the specified playlist, including private playlists that are not accessible through the standard listing endpoint. This vulnerability can be exploited by iterating through sequential playlist IDs to access private playlists.

Remediation

The vulnerability has been patched in commit bb716fbece656c9fe39784f11e4e822b5867f1ca. Users should update to the latest version of AVideo to address this issue.