WWBN AVideo YPTSocket WebSocket Relay Bypass Vulnerability Allowing Unauthenticated Cross-User JavaScript Execution

A vulnerability in WWBN AVideo versions through 29.0 allows for unauthenticated cross-user JavaScript execution. The issue arises from an incomplete server-side mitigation of the YPTSocket 'autoEvalCodeOnHTML' feature, which can execute arbitrary JavaScript in the context of logged-in users. The vulnerability is exploited by sending a crafted message through a WebSocket connection, bypassing the intended payload stripping mechanism. This flaw can lead to same-origin policy violations, privilege escalation if an admin user is targeted, and mass exploitation across multiple users.

Impact

Exploitation of this vulnerability allows for unauthenticated cross-user JavaScript execution in the browsers of logged-in users, with the executed script running in the context of the user's session on the site. This can lead to unauthorized access to session tokens and DOM data, and if an admin user is targeted, it could result in account takeover and unauthorized actions via the admin panel.

Reproduction

To reproduce this vulnerability, first obtain a WebSocket token from the 'plugin/YPTSocket/getWebSocket.json.php' endpoint. This token can be acquired without authentication. Once the token is obtained, connect to the WebSocket server using the token and send a message that includes 'autoEvalCodeOnHTML' nested under the 'json' field. The message should also include the 'to_users_id' of a logged-in user. The WebSocket server will relay the message to the specified user, who will execute the JavaScript payload via 'eval()'.

Remediation

Users can update to the latest version of WWBN AVideo, where this vulnerability has been fixed.