WWBN AVideo Unauthenticated Information Disclosure Vulnerability in CloneSite Plugin Log Endpoint

A vulnerability exists in WWBN AVideo versions through 26.0, where the plugin/CloneSite/client.log.php endpoint exposes the clone operation log file without any authentication. This log file, which is populated by the cloneClient.json.php script, contains sensitive information such as internal filesystem paths, remote server URLs, and SSH connection details. In contrast, all other endpoints within the CloneSite plugin directory require admin privileges for access.

Impact

This vulnerability leads to an unauthorized disclosure of internal infrastructure details, such as SSH metadata and filesystem paths, which could facilitate targeted attacks against the server from which the clone was sourced.

Reproduction

To reproduce this vulnerability, send a request to the 'plugin/CloneSite/client.log.php' endpoint without any authentication. If the CloneSite feature has been used, the response will include sensitive information such as wget commands, internal paths, SSH details, and locations of SQL dump files.

Remediation

It is recommended to add an admin authentication check to the 'plugin/CloneSite/client.log.php' file before the log file is included. This can be done by requiring the configuration file and checking if the user is an admin, returning a 403 response if not.