WWBN AVideo WebSocket Token Persistence Vulnerability

A vulnerability in WWBN AVideo versions through 26.0 allows WebSocket tokens to bypass expiration due to commented-out timeout validation in the 'verifyTokenSocket()' function. This oversight enables tokens, whether captured or legitimately obtained, to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens, in particular, grant access to real-time connection data for all online users, including IP addresses, browser information, and page locations.

Impact

This vulnerability leads to permanent WebSocket access after user account revocation, allowing deleted, banned, or demoted users to retain their original privileges. Admin users who are demoted continue to have admin-level WebSocket access indefinitely. Additionally, this vulnerability allows for real-time surveillance of user activity through exposed connection data, extends the attack window for token theft by making stolen tokens permanently valid, and enables identity hijacking by allowing the use of stolen tokens to assume another user's identity on new connections.

Reproduction

To reproduce this vulnerability, first obtain a WebSocket token as an authenticated user. This can be done by sending a request to the 'getWebSocket.json.php' endpoint while including a valid session cookie. Once the token is obtained, it can be used to establish a WebSocket connection. After the token expires (in more than 12 hours), the connection can still be re-established using the expired token, as the 'verifyTokenSocket()' function does not enforce the timeout validation. If the token was originally from an admin user, the connection will receive privileged data about all connected clients.

Remediation

Uncomment the timeout enforcement in the 'verifyTokenSocket()' function to restore proper token expiration validation. Additionally, consider implementing checks to re-validate admin privileges periodically and restrict the 'getClientsList' WebSocket message type to admin users only.