WWBN AVideo SocialMediaPublisher Plugin Unauthenticated Instagram Graph API Proxy Vulnerability

A vulnerability exists in the WWBN AVideo platform, specifically in versions through 26.0, within the SocialMediaPublisher plugin. The issue arises from the publishInstagram.json.php endpoint, which serves as an unauthenticated proxy to the Facebook/Instagram Graph API. This endpoint accepts user-controlled parameters, including an access token, container ID, and Instagram account ID, and forwards them directly to the Graph API without any authentication checks. As a result, any unauthenticated user can make arbitrary Graph API calls through the server, potentially exploiting stolen tokens or misusing the platform's credentials.

Impact

Exploitation of this vulnerability allows unauthorized users to use the AVideo server as a proxy for Instagram or Facebook Graph API calls. This could lead to publishing, modifying, or deleting content on the platform's Instagram account, especially if combined with leaked credentials from a previous vulnerability (AVI-027) that allowed access to social media API tokens. Additionally, the server's IP address is used for these API calls, which could help bypass rate limits or IP-based restrictions on the Graph API.

Reproduction

To reproduce this vulnerability, send a request to the publishInstagram.json.php endpoint without any authentication. Include the access token, container ID, and Instagram account ID as parameters. The server will forward the request to the Facebook Graph API. With a valid access token, it's possible to publish content to an Instagram account through the AVideo instance.

Remediation

It is recommended to add an admin authorization check at the beginning of the publishInstagram.json.php file, similar to the existing check on the refresh.json.php endpoint. This would restrict the endpoint's use to admin users only, preventing unauthorized proxy abuse.