WWBN AVideo Plaintext Password Storage Vulnerability in Video Password Feature

A vulnerability exists in WWBN AVideo versions through 26.0, where video passwords are stored in the database in plaintext without any hashing or encryption. This issue allows attackers with read access to the database to retrieve all video passwords in cleartext. The vulnerability arises because the password is directly trimmed and saved to the 'video_password' column in the 'videos' table without any hashing. When passwords are checked for access, the comparison is made against the unencrypted value, further exposing this sensitive information.

Impact

Exploitation of this vulnerability leads to the full exposure of all video access passwords stored in plaintext, creating a risk of credential harvesting, especially since users often reuse passwords across different services.

Reproduction

To reproduce this vulnerability, set a password on any video using the AVideo admin or creator interface. Then, query the database to select the 'video_password' column from the 'videos' table. All video passwords will be returned in plaintext. Alternatively, exploit any existing SQL injection vulnerabilities in this repository to directly extract the 'video_password' column.

Remediation

Users can update to AVideo version 29.0 or later, where this vulnerability has been patched. Instructions for updating can be found in the AVideo repository.