WWBN AVideo Cross-Site Request Forgery Vulnerability in Comment Deletion Endpoint

A vulnerability in WWBN AVideo versions through 29.0 allows for cross-site request forgery (CSRF) attacks on the comment deletion feature. The `objects/commentDelete.json.php` endpoint, which deletes comments, lacks proper CSRF protection. It does not validate requests for origin or referer, and relies on `$_REQUEST`, making it susceptible to CSRF via GET or POST requests. This vulnerability is exacerbated by AVideo's cookie policy, which allows cross-site requests to include the victim's session ID. As a result, an authenticated user with comment deletion privileges can be manipulated into deleting comments without their consent.

Impact

Exploitation of this vulnerability leads to unauthorized mass deletion of comments by exploiting the victim's session. This can cause significant disruption to community engagement and content integrity, especially if the victim is a site moderator or video owner.

Reproduction

To reproduce this vulnerability, an attacker can create a webpage that sends requests to the vulnerable comment deletion endpoint using the victim's session cookie. This can be done by embedding the request in an image tag for a GET request or using JavaScript's Fetch API for a POST request. The absence of CSRF tokens and the presence of the session ID in cross-site requests facilitate the exploitation.

Remediation

Users are advised to update to the patched version of AVideo, where this vulnerability has been addressed by adding the necessary CSRF validation to the comment deletion endpoint.