WWBN AVideo Password Hash Leakage in MobileManager OAuth Flow Allows Account Takeover

A vulnerability in WWBN AVideo versions through 29.0 allows for password hash leakage during the OAuth login process in the MobileManager plugin. The issue arises in 'plugin/MobileManager/oauth2.php', which sends an HTTP 302 redirect containing the user's password hash, extracted from the database, to 'oauth2Success.php'. This hash can be intercepted through various means, such as server logs or browser history. AVideo's login endpoint can then be exploited to perform a direct comparison of the captured hash with the stored password hash, effectively bypassing the need for the actual plaintext password. This vulnerability enables full account takeover, including administrative accounts.

Impact

Exploitation of this vulnerability leads to full account takeover of any user who has logged in through the MobileManager OAuth endpoint. If the victim is an administrator, the attacker gains administrative control over the AVideo instance. The exposed password hash remains valid until the user changes their password, allowing for persistent unauthorized access.

Reproduction

To reproduce this vulnerability, enable the MobileManager plugin and configure a supported login provider, such as Google, with valid keys. Once these settings are in place, initiate the OAuth flow by accessing 'plugin/MobileManager/oauth2.php' and selecting Google as the provider. After authorization, the server will respond with a redirect to 'oauth2Success.php', including the user's email and password hash in the query string. This redirect can be captured from the web server access logs, upstream proxy/CDN logs, or the victim's browser history. The attacker can then use the intercepted hash to log in as the victim by sending a request to 'objects/login.json.php' with the captured hash and the 'encodedPass=1' flag.

Remediation

To address this vulnerability, remove the password hash from the OAuth redirect URL and implement server-side session management. Update 'plugin/MobileManager/oauth2.php' to log in the user without including credentials in the URL. Additionally, add a 'state' parameter and CSRF protection to prevent unauthorized OAuth redirects.