WWBN AVideo Unauthenticated CloneSite Key Disclosure Vulnerability Leading to Cross-Site Database Dump

A vulnerability in WWBN AVideo versions through 29.0 allows for the unauthenticated disclosure of the CloneSite shared secret, 'myKey', via an error message in 'plugin/CloneSite/cloneClient.json.php'. This leaked key can be used to impersonate the victim on a remote CloneSite server, triggering a full database dump of the remote server's database to a public directory.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of the CloneSite shared secret, 'myKey', which is static and never rotates. When the affected AVideo installation is federated with a remote CloneSite server, the leaked key enables impersonation of the victim client, bypassing authentication checks, and executing an unconditional 'mysqldump' of the remote database. The dumped database, containing sensitive information such as user data, payment records, and API credentials, is then made available for download from a public directory on the remote server.

Reproduction

To reproduce this vulnerability, send an unauthenticated GET request to 'plugin/CloneSite/cloneClient.json.php' on the target AVideo installation. The response will include the local 'myKey' value, which can then be used to make a request to the remote CloneSite server's 'cloneServer.json.php' endpoint, initiating a database dump that can be downloaded from the remote server's public 'videos/clones/' directory.

Remediation

The vulnerability has been patched in commit e6566f56a28f4556b2a0a09d03717a719dcb49da, which sanitizes the CloneSite key validation by removing the interpolation of the 'myKey' in the error response. Additionally, it is recommended to replace the static 'myKey' with a randomly generated key that can be rotated, and to implement measures on the remote server to secure the database dump process.