WWBN AVideo Unauthenticated FFmpeg Remote Server Status Disclosure Vulnerability

A vulnerability exists in WWBN AVideo versions through 26.0, where the plugin/API/check.ffmpeg.json.php endpoint can be accessed without authentication. This endpoint probes the FFmpeg remote server configuration and returns connectivity status. In contrast, all related FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require admin privileges. The lack of authentication in the check.ffmpeg.json.php endpoint could lead to unauthorized infrastructure reconnaissance, revealing details about the encoding architecture and aiding in targeted attack planning.

Impact

This vulnerability allows for unauthorized access to information about the server's FFmpeg configuration and connectivity status, which could be used to plan further attacks.

Reproduction

To reproduce this vulnerability, send a request to the vulnerable AVideo instance's plugin/API/check.ffmpeg.json.php endpoint. This can be done using a tool like curl. The response will indicate whether the platform uses a standalone FFmpeg server and its current reachability.

Remediation

It is recommended to add an admin authentication check to the plugin/API/check.ffmpeg.json.php file, after including the configuration file. This can be done by adding a conditional statement that checks if the user is an admin and denies access if they are not.