WWBN AVideo Cross-Site Request Forgery Vulnerability in Profile Photo Update Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in WWBN AVideo versions through 29.0. The issue resides in the 'objects/userSavePhoto.php' file, which serves as a legacy endpoint for profile photo updates. This endpoint accepts a base64-encoded POST parameter and saves the decoded image data to a user-specific PNG file. The only access control implemented is a check to verify if the user is logged in. However, the endpoint is excluded from the global CSRF protection mechanism, lacks proper validation of the image data, and does not include a CSRF token or Origin/Referer checks. Exploitation of this vulnerability allows an attacker to overwrite a logged-in user's profile photo with arbitrary data, while also triggering a site-wide cache clearance with each forged request.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user profile photos, leading to potential impersonation or defacement. Additionally, the vulnerability causes a global cache invalidation, which can disrupt application performance. The repeated exploitation can also create excessive disk usage by writing large files, contributing to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, a logged-in user must be lured to a malicious webpage that contains a form. This form should be set to submit a base64-encoded image via a POST request to the 'objects/userSavePhoto.php' endpoint. The absence of CSRF protection allows the request to be sent with the user's session cookie, bypassing authentication checks. Once the request is processed, the user's profile photo will be replaced with the submitted image data.

Remediation

Users can update to the patched version of AVideo, which includes validation and sanitization of image data in the user photo and background saving functions. Instructions for updating can be found in the AVideo documentation.