WWBN AVideo SQL Injection Vulnerability in Like Management

A SQL injection vulnerability has been identified in WWBN AVideo versions prior to 26.0. The issue resides in the 'objects/like.php' file, specifically within the 'getLike()' method. Here, the SQL query construction is flawed: while the 'users_id' is properly parameterized, the 'videos_id' is directly concatenated into the query without any sanitization or validation. This oversight allows attackers to inject arbitrary SQL by manipulating the 'videos_id' parameter in their request. The vulnerability arises because the application fails to consistently apply safe query practices, leaving a significant attack surface for authenticated users.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, bypassing the partial prepared statement protection. This could lead to unauthorized data access, modification, or deletion, depending on the database user's privileges.

Reproduction

To reproduce this vulnerability, send a POST request to 'objects/likeAjax.json.php' with a crafted 'videos_id' parameter that includes SQL injection payloads. The injected SQL will be executed by the application's database layer, demonstrating the vulnerability.

Remediation

Users can update to AVideo version 26.0 or later, where this vulnerability has been patched.