WWBN AVideo Missing CSRF Protection on JSON Endpoints Allows Forced Actions

A vulnerability exists in WWBN AVideo versions through 29.0, where multiple JSON endpoints under 'objects/' lack proper Cross-Site Request Forgery (CSRF) protection. These endpoints accept state-changing requests via '$_REQUEST' or '$_GET', and persist changes tied to the user's session without any anti-CSRF token, origin check, or referer check. This vulnerability allows a logged-in user to be manipulated into liking or disliking comments, posting comments on videos, or deleting assets from categories if they have management rights. Exploitation can be done by loading an attacker-controlled HTML resource, such as an image or form submission, in the context of the victim's session.

Impact

The vulnerability allows for unauthorized manipulation of user actions, including forced likes or dislikes on comments, unauthorized posting of comments under a user's name, and deletion of category assets by users with management rights.

Reproduction

To reproduce this vulnerability, an attacker must create a webpage that sends a request to one of the vulnerable JSON endpoints, such as 'objects/comments_like.json.php', 'objects/commentAddNew.json.php', or 'objects/categoryDeleteAssets.json.php'. The request can be sent using an image tag or a form submission, and must include the necessary parameters to perform the desired action. When the victim loads the attacker-controlled webpage, the request is sent with the victim's session cookies, allowing the attacker to manipulate the victim's actions on the AVideo platform.

Remediation

Users are advised to update to the latest version of WWBN AVideo, where this vulnerability has been addressed. Instructions for updating can be found in the AVideo documentation.