WWBN AVideo SQL Injection Vulnerability in Live_schedule Stream Key Lookup

A SQL injection vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the Live_schedule::keyExists() method, which improperly constructs SQL queries by directly inserting stream keys without parameterization. This vulnerability is exploited during RTMP publish authentication, when the method is called as a fallback after a parameterized query in LiveTransmition::keyExists() returns no results. The lack of input sanitization allows for SQL injection attacks, distinct from another vulnerability in the same application that involves the live_schedule_id parameter.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, enabling an attacker to extract the entire MySQL database. This includes sensitive information such as user credentials, email addresses, API tokens, and platform configuration data.

Reproduction

To reproduce this vulnerability, ensure that the target AVideo instance has the Live plugin enabled. Then, send a POST request to the on_publish.php endpoint with a crafted stream key that includes a SQL injection payload, such as 'nonexistent' OR SLEEP(3)--. The response will be delayed by approximately three seconds, indicating that the injection was successful. This vulnerability can be further exploited by using conditional SLEEP payloads to extract database information character by character.

Remediation

To address this vulnerability, update the Live_schedule::keyExists() method to use parameterized queries, similar to the approach already implemented in LiveTransmition::keyExists().