WWBN AVideo User Group-Based Access Control Bypass Vulnerability in categories.json.php Endpoint

A vulnerability exists in WWBN AVideo versions through 26.0, specifically in the categories.json.php endpoint, which handles the category listing API. The issue arises from a failure to properly enforce user group-based access controls, allowing unauthorized access to category information. By default, the endpoint skips user group filtering entirely, exposing all non-private categories, including those restricted to specific user groups. When the ?user= parameter is used, a type confusion bug causes the filter to incorrectly apply the admin user's group memberships instead of the current user's, further undermining access control. This vulnerability allows any unauthenticated user to bypass intended restrictions and access sensitive category information.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass user group restrictions, accessing all non-private categories and revealing which categories are restricted to specific user groups. This information could be used to target further access control bypasses on videos within those categories.

Reproduction

The vulnerability can be reproduced by sending a request to the categories.json.php endpoint without the ?user= parameter. This will return all non-private categories without applying any group filtering. Alternatively, including the ?user=1 parameter will fetch categories using the admin user's group memberships, bypassing restrictions for categories assigned to admin groups.

Remediation

Users should update to the latest version of WWBN AVideo, where this vulnerability has been fixed. Instructions for updating can be found in the AVideo documentation.