WWBN AVideo Poster Overwrite Vulnerability in Live Plugin via Insecure Endpoint

A vulnerability in the WWBN AVideo live streaming plugin, affecting versions through 26.0, allows any authenticated user to overwrite poster images for scheduled live streams. This is achieved by sending an arbitrary live_schedule_id to the uploadPoster.php endpoint, which lacks proper authorization checks. After the poster is replaced, the endpoint sends a misleading notification to all connected WebSocket clients, falsely indicating that the victim's stream has gone offline.

Impact

Exploitation of this vulnerability leads to unauthorized modification of live stream posters, disruption of streaming activities by falsely signaling that a stream has ended, and unintentional disclosure of the victim's user ID and broadcast key to all WebSocket clients.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and send a POST request to the 'plugin/Live/uploadPoster.php' endpoint. Include the 'live_schedule_id' of a scheduled stream that is not owned by the user, along with the 'file_data' parameter containing the image to be uploaded. The request will successfully overwrite the poster without authorization, and a notification will be broadcast to all WebSocket clients indicating that the victim's stream has gone offline.

Remediation

The vulnerability has been patched in commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60. Users should update to the latest version of WWBN AVideo.