WWBN AVideo Video Publishing Workflow Bypass Vulnerability

A vulnerability in WWBN AVideo versions through 26.0 allows users with upload permissions to bypass the platform's content moderation workflow. The issue arises from the video processing pipeline, which accepts an 'overrideStatus' request parameter. This parameter enables uploaders to set a video's status to 'active', directly publishing it without admin review. The 'setStatus()' method validates status codes against a predefined list but fails to check if the user has the right to assign a specific status. Consequently, any uploader can manipulate video statuses, undermining content review processes and potentially violating platform policies or legal regulations.

Impact

Exploiting this vulnerability allows uploaders to publish videos immediately, bypassing moderation queues and content review processes. This could lead to the unauthorized dissemination of content that violates platform policies or legal requirements. Additionally, the vulnerability allows users to manipulate video statuses arbitrarily, such as setting videos to 'unlisted' or 'inactive', circumventing platform restrictions on these features.

Reproduction

To reproduce this vulnerability, upload a video as a user with upload permissions while including the 'overrideStatus' parameter set to 'a' (active) in the request. This can be done using a POST request to 'objects/videoAddNew.json.php', which will immediately publish the video, bypassing the moderation workflow. The same effect can be achieved by setting the 'overrideStatus' parameter to 'u' (unlisted), even if such a status is normally restricted.

Remediation

To address this vulnerability, implement an authorization check to ensure that only administrators or users with video management permissions can use the 'overrideStatus' parameter to change a video's status. Regular uploaders should be required to follow the standard moderation process.