WWBN AVideo Insecure Direct Object Reference Vulnerability in Live Restreams Endpoint Allows Credential Theft

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in WWBN AVideo versions through 29.0. The issue resides in the endpoint 'plugin/Live/view/Live_restreams/list.json.php', where authenticated users with streaming permissions can access other users' live restream configurations. This includes sensitive information such as third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. The vulnerability arises because the authorization logic fails to properly restrict non-admin users to their own records, allowing them to exploit the 'users_id' parameter to retrieve data from other users.

Impact

Exploitation of this vulnerability leads to unauthorized access to third-party platform stream keys and OAuth tokens of other users, allowing for unauthorized broadcasting on their behalf and potential abuse of their OAuth credentials.

Reproduction

To reproduce this vulnerability, an authenticated user with streaming permission can send a request to the 'plugin/Live/view/Live_restreams/list.json.php' endpoint, including the 'users_id' parameter set to the ID of another user. The response will contain the victim's restream records, including sensitive stream keys and OAuth tokens.

Remediation

The vulnerability has been patched in the latest version of AVideo. Users should update to the version that includes the fix.