WWBN AVideo Cross-Site Request Forgery Vulnerability in Two-Factor Authentication Toggle

A cross-site request forgery (CSRF) vulnerability has been identified in WWBN AVideo versions 29.0 and earlier, specifically within the two-factor authentication (2FA) toggle feature. The vulnerability resides in the `plugin/LoginControl/set.json.php` file, where the endpoint accepts POST requests to disable 2FA for the session-authenticated user. The absence of CSRF protection, such as a validation token or re-authentication requirement, allows an attacker to exploit this vulnerability by sending a cross-origin request that disables the victim's 2FA without their knowledge. This exploitation could be achieved through a hidden form or a fetch request that omits credentials, effectively silencing the action while compromising the account's security by removing the 2FA safeguard.

Impact

Exploitation of this vulnerability allows an attacker to disable the 2FA protection on a victim's account, turning it into a standard password-only account. This change is permanent until the victim manually re-enables 2FA. The lack of an audit log for 2FA changes in AVideo further obscures this action, making it difficult for users to detect unauthorized modifications.

Reproduction

To reproduce this vulnerability, an attacker must host a webpage that includes a form targeting the AVideo 2FA toggle endpoint. This form should be set to submit a POST request that disables 2FA by sending the appropriate type and value parameters. Once the form is submitted, the request will be processed by the AVideo server, where the victim's 2FA is silently disabled. This can be done without any visible indication to the user.

Remediation

To address this vulnerability, it is recommended to add CSRF protection to the 2FA toggle endpoint, similar to other state-changing endpoints in the AVideo codebase. Additionally, when disabling 2FA, users should be required to provide the current 2FA code or undergo a password re-authentication process.