WWBN AVideo Cross-Site Request Forgery Vulnerability Allowing Logo Overwrite

A cross-site request forgery (CSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the site customization endpoint 'admin/customize_settings_nativeUpdate.json.php', which lacks proper CSRF token validation. This vulnerability allows an attacker to overwrite the platform's logo with a custom image. The exploitation is possible because the endpoint writes uploaded logo files to disk before performing a domain-based security check, and the 'SameSite=None' cookie policy enables cross-origin POST requests to include the admin's authenticated session.

Impact

Exploitation of this vulnerability replaces the platform logo with an attacker-controlled image, potentially leading to phishing attempts by using a misleading logo with fraudulent instructions. The unauthorized file overwrite is permanent without manual intervention from an admin.

Reproduction

To reproduce this vulnerability, send a cross-origin POST request to the 'admin/customize_settings_nativeUpdate.json.php' endpoint without a CSRF token. Include base64-encoded image data as the 'logoImgBase64' parameter. The absence of CSRF validation allows the request to be processed, overwriting the existing logo with the supplied image data. This can be automated with a script or a web page that an authenticated admin would visit, triggering the logo replacement.

Remediation

To address this vulnerability, implement CSRF token validation on the 'admin/customize_settings_nativeUpdate.json.php' endpoint before processing any POST data or file uploads. This validation should be added prior to the 'base64DataToImage()' and 'file_put_contents()' calls to prevent unauthorized file writes.