WWBN AVideo Cross-Site Request Forgery Vulnerability in Admin JSON Endpoints

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in WWBN AVideo, an open-source video platform, in versions through 29.0. The issue resides in three admin-only JSON endpoints: 'objects/categoryAddNew.json.php', 'objects/categoryDelete.json.php', and 'objects/pluginRunUpdateScript.json.php'. These endpoints perform state-changing actions on the database but lack proper CSRF protection. While peer endpoints in the same directory do enforce CSRF tokens, the omission in these three endpoints allows an attacker to manipulate categories and execute plugin update scripts by luring a logged-in admin to a malicious page.

Impact

Exploitation of this vulnerability allows for unauthorized category creation, modification, and deletion, with potential for stored Cross-Site Scripting (XSS) attacks. Additionally, it enables the execution of any installed plugin's update script in the context of the admin user.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious webpage that sends a POST request to one of the vulnerable endpoints, such as 'objects/categoryAddNew.json.php' or 'objects/categoryDelete.json.php'. When a logged-in admin visits the page, the request is sent without the required CSRF token, bypassing the application's security measures. For the 'pluginRunUpdateScript.json.php' endpoint, the same method can be used to force an admin to execute a plugin update script.

Remediation

The recommended fix is to add a CSRF token validation check to each affected endpoint, similar to the existing checks in 'pluginSwitch.json.php' and 'pluginRunDatabaseScript.json.php'.