WWBN AVideo YPTSocket Plugin WebSocket Server Unauthenticated Cross-User JavaScript Execution Vulnerability

A vulnerability in the YPTSocket plugin for WWBN AVideo, in versions through 29.0, allows for unauthenticated cross-user JavaScript execution. The WebSocket server relays attacker-supplied JSON messages to all connected clients without sanitizing the 'msg' or 'callback' fields. This exploitation occurs through two 'eval()' sinks in the client-side script, leading to session theft and unauthorized actions on behalf of the affected users, including administrators.

Impact

Exploitation of this vulnerability allows for universal client-side code execution across all users connected to the affected AVideo instance. This includes session theft of all connected users, with a particular emphasis on administrators, and the execution of privileged actions in the context of those admin users.

Reproduction

To reproduce this vulnerability, first obtain a WebSocket token by sending a request to the 'getWebSocket.json.php' endpoint. This token can be acquired anonymously, without any authentication. Once the token is obtained, connect to the WebSocket server using the provided token. After establishing the connection, send a JSON payload that includes the 'msg' field with JavaScript code to be executed, or use the 'callback' field to inject code that will be executed via an 'eval()' call.

Remediation

Users can update to the latest version of AVideo, where this vulnerability has been addressed. Instructions for updating can be found in the AVideo documentation.