WWBN AVideo Live Plugin Unauthenticated Stream Termination Vulnerability

A denial-of-service vulnerability has been identified in the WWBN AVideo live streaming feature, present in versions through 26.0. The issue arises in the Live plugin's 'on_publish_done.php' endpoint, which allows unauthenticated users to terminate active live streams. This endpoint, designed to process RTMP callback events, lacks any authentication or authorization checks. Attackers can exploit this by first enumerating active stream keys from the 'stats.json.php' endpoint, also accessible without authentication, and then sending crafted POST requests to 'on_publish_done.php' to disrupt live broadcasts. As a result, all live streaming functionality on the platform can be rendered inoperative.

Impact

Exploitation of this vulnerability allows any unauthenticated user to terminate live streams on an AVideo instance, causing a widespread disruption of the platform's live streaming capabilities.

Reproduction

To reproduce this vulnerability, first retrieve active stream keys from the unauthenticated 'stats.json.php' endpoint. Then, send a POST request to 'on_publish_done.php' with the stream key as a parameter to terminate the live broadcast. This process can be automated with a script that iterates over all active stream keys.

Remediation

It is recommended to restrict the 'on_publish_done.php' endpoint to accept requests only from localhost. This can be done by adding a check for the remote address at the beginning of the file, ensuring that only requests from '127.0.0.1' or '::1' are processed.