WWBN AVideo AuthorizeNet Payment Processing Vulnerability Allows Arbitrary Wallet Credits

A vulnerability in WWBN AVideo versions through 29.0 in the AuthorizeNet payment processing endpoint allows logged-in users to manipulate their wallet balance. The endpoint improperly credits the user's wallet based solely on the amount specified in the POST request, without validating any actual Authorize.Net transaction or payment details. This flaw enables users to add arbitrary funds to their AVideo wallet when the AuthorizeNet and YPTWallet plugins are active.

Impact

Exploitation of this vulnerability allows authenticated users to increase their wallet balance by any desired amount. This could be used to purchase paid content or subscriptions, transfer inflated funds to other users, or manipulate financial records and workflows.

Reproduction

To reproduce this vulnerability, log into an AVideo account with the AuthorizeNet and YPTWallet plugins enabled. Once logged in, send a POST request to the 'plugin/AuthorizeNet/processPayment.json.php' endpoint, including an 'amount' parameter with the desired value. The request must be sent with the user's session cookie to authenticate the transaction. The endpoint will respond indicating that the payment was processed, and the wallet balance will reflect the added amount.

Remediation

It is recommended to remove or disable the 'processPayment.json.php' file if it is no longer needed. Wallet credits should not be based solely on client-supplied amounts. Instead, utilize the Authorize.Net transaction verification process to ensure payments are legitimate before updating wallet balances. Adding regression tests to prevent similar vulnerabilities in the future is also advised.