AVideo (<= 29.0) — CraftedSignal Threat Feed

AVideo API Secret Disclosure Leads to Unauthorized Access

hello@craftedsignal.io — Tue, 09 Jan 2024 12:00:00 +0000

AVideo, a video-sharing platform, is vulnerable to a critical security flaw that allows unauthenticated users to access sensitive API secrets. Specifically, the objects/plugins.json.php endpoint, intended to provide plugin configuration details, inadvertently exposes the APISecret within the object_data. This vulnerability, present in versions 29.0 and earlier, allows an attacker to bypass authentication and directly interact with protected API endpoints. By extracting the APISecret, an attacker can then craft API requests to access restricted data, such as user lists, without proper authorization. This poses a significant risk to data confidentiality and integrity within AVideo installations.

Attack Chain

An unauthenticated attacker discovers the publicly accessible objects/plugins.json.php endpoint.
The attacker sends an HTTP GET request to objects/plugins.json.php to retrieve plugin configurations.
The server responds with a JSON payload containing plugin object_data, including the APISecret.
The attacker extracts the APISecret from the JSON response.
The attacker crafts a malicious API request to the plugin/API/get.json.php endpoint, including the APISecret as an authentication token.
The attacker specifies the desired APIName (e.g., users_list) and other parameters (e.g., rowCount, current) in the API request.
The server incorrectly validates the request based on the provided APISecret.
The server responds with the requested data, granting the attacker unauthorized access to protected information.

Impact

Successful exploitation of this vulnerability grants unauthorized access to sensitive data managed by the AVideo platform. An attacker could potentially access user lists and other restricted information. The number of affected installations is currently unknown, but any instance running AVideo version 29.0 or earlier is susceptible. This can lead to data breaches, privacy violations, and potential misuse of user information.

Recommendation

Apply the recommended fix of requiring admin authentication for the full plugin inventory/config endpoint (as suggested in the advisory).
Deploy the Sigma rule “AVideo API Secret Disclosure Attempt” to detect attempts to access the vulnerable objects/plugins.json.php endpoint.
Deploy the Sigma rule “AVideo Unauthorized API Access via APISecret” to detect unauthorized API calls using a disclosed API secret.

AVideo SSRF Vulnerability via HTTP Redirect and DNS Rebinding

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

AVideo, version 29.0 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability due to insufficient validation of user-supplied URLs. Specifically, the isSSRFSafeURL() function, intended to prevent SSRF attacks, fails to account for HTTP redirects. This allows an attacker to bypass the intended security checks by providing a URL that initially appears safe but redirects to an internal resource, such as cloud metadata endpoints (169.254.169.254). Additionally, multiple callers of isSSRFSafeURL() discard the $resolvedIP parameter, creating a Time-of-Check Time-of-Use (TOCTOU) race condition exploitable via DNS rebinding. Attackers can manipulate DNS resolution to access internal services (127.0.0.1) that would otherwise be protected. Successful exploitation can lead to the disclosure of sensitive information, such as IAM credentials and internal service details.

Attack Chain

Attacker crafts a malicious URL pointing to a server they control.
The attacker’s server responds with a 302 redirect to an internal resource (e.g., http://169.254.169.254/latest/meta-data/).
The attacker submits the initial malicious URL to a vulnerable AVideo endpoint (e.g., /plugin/AI/receiveAsync.json.php).
The isSSRFSafeURL() function validates the initial URL, which resolves to a public IP address, and incorrectly passes the check.
The file_get_contents() function, without proper redirect restrictions, follows the 302 redirect to the internal resource.
The request is made to the internal resource, bypassing the intended SSRF protections.
The internal resource (e.g., cloud metadata) responds with sensitive information.
The sensitive information (e.g., IAM credentials) is stored as a video thumbnail or image within the application, accessible to the attacker.

Impact

Successful exploitation of this SSRF vulnerability allows an authenticated attacker to force the AVideo server to make HTTP requests to arbitrary internal hosts. This includes cloud metadata endpoints (e.g., 169.254.169.254), potentially leading to the exfiltration of IAM credentials and instance identity information. Attackers can also access internal services on localhost (127.0.0.1) or the private network, such as databases, admin panels, and monitoring systems. The exfiltrated data can be retrieved through the application’s public interface, increasing the severity of the impact.

Recommendation

Apply the suggested fix by routing affected files through url_get_contents() to safely handle redirects, as detailed in the advisory.
As an alternative to using url_get_contents(), implement an explicit no-redirect context when calling file_get_contents() to prevent automatic redirect following.
Update all callers of isSSRFSafeURL() to capture the $resolvedIP parameter and pass it to a DNS-pinning-aware fetch function using CURLOPT_RESOLVE to mitigate DNS rebinding attacks.
Monitor web server logs for requests containing internal IP addresses (169.254.169.254, 127.0.0.1) in the URL, as these may indicate SSRF attempts.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

AVideo CloneSite Unauthenticated Information Disclosure Leading to Remote Database Dump

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

AVideo, a video sharing platform, is vulnerable to an unauthenticated information disclosure flaw in its CloneSite plugin. The vulnerability resides in the plugin/CloneSite/cloneClient.json.php endpoint. This endpoint inadvertently echoes the local CloneSite shared secret ($objClone->myKey) in HTTP responses without requiring any form of authentication. This secret is intended to authenticate requests between federated AVideo instances using the CloneSite plugin. An attacker can exploit this vulnerability by simply sending a GET request to the vulnerable endpoint, obtaining the myKey. When the AVideo installation is federated with a remote CloneSite server, the attacker can use the leaked myKey to impersonate the victim client and trigger a full database dump of the remote server. This database dump includes sensitive information such as user credentials, payment records, and API keys. The vulnerability affects AVideo version 29.0 and earlier.

Attack Chain

The attacker sends an unauthenticated GET request to https://victim.example.com/plugin/CloneSite/cloneClient.json.php.
The AVideo server echoes the local $objClone->myKey within the HTTP response body due to a flawed error message construction.
The attacker extracts the leaked $objClone->myKey from the response.
The attacker crafts a malicious request to the remote CloneSite server (https://remote-server.example.com/plugin/CloneSite/cloneServer.json.php) using the leaked $objClone->myKey and the victim’s URL.
The remote CloneSite server validates the attacker’s request using the provided key, successfully authenticating the attacker as the victim client.
The remote server executes a mysqldump command, dumping the entire database (excluding CachesInDB) to a publicly accessible directory (videos/clones/).
The attacker retrieves the database dump from the remote server via an unauthenticated HTTP GET request to https://remote-server.example.com/videos/clones/Clone_mysqlDump_*.sql.
The attacker analyzes the database dump, gaining access to sensitive information such as user credentials, payment records, and API keys.

Impact

Successful exploitation of this vulnerability allows any unauthenticated attacker to retrieve the CloneSite shared secret (myKey) of any AVideo installation with the CloneSite plugin enabled. When the affected installation is federated with a remote CloneSite server, the attacker can impersonate the victim client and trigger a full database dump of the remote server containing sensitive data. This can lead to the compromise of user accounts, financial information, and sensitive plugin configurations on the remote server. This vulnerability permits unauthorized access to critical data, potentially resulting in severe data breaches and financial losses.

Recommendation

Apply the recommended fix by not echoing the expected key in the rejection message within plugin/CloneSite/cloneClient.json.php, and reject non-CLI / non-admin callers cleanly, as detailed in the overview (see code snippet in advisory).
Implement the additional hardening recommendations, including replacing the static myKey with a randomly generated, per-installation key stored in the plugin configuration that can be rotated.
On the remote side (cloneServer.json.php), consider requiring the sqlFile path to be unguessable (already is, via uniqid()) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token.
Serve videos/clones/ with an .htaccess/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.

AVideo Unauthenticated Cross-User JavaScript Execution via YPTSocket Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

AVideo is vulnerable to an unauthenticated cross-site scripting (XSS) vulnerability stemming from an incomplete fix for the YPTSocket autoEvalCodeOnHTML eval sink (GHSA-gph2-j4c9-vhhr). The initial patch only stripped the payload when present under $json['msg'], but the relay function msgToResourceId() prioritizes $msg['json'] before $msg['msg']. An unauthenticated attacker can exploit this flaw by obtaining a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connecting to the WebSocket server, and sending a message with autoEvalCodeOnHTML nested under a top-level json field. This bypasses the strip branch, delivering the payload verbatim to any logged-in user identified by to_users_id, and the client script executes it via eval(). Versions of AVideo up to and including 29.0 are affected if they have not implemented the recommended fixes.

Attack Chain

An unauthenticated attacker requests a WebSocket token from plugin/YPTSocket/getWebSocket.json.php.
The server issues a valid WebSocket token without authentication or CSRF checks.
The attacker establishes a WebSocket connection to the server using the obtained token.
The attacker crafts a malicious message containing JavaScript code within the autoEvalCodeOnHTML field, nested under a top-level json field: {"msg": "x", "json": {"autoEvalCodeOnHTML": ""}, "to_users_id": }.
The attacker sends the crafted message to the WebSocket server.
The server-side validation logic in plugin/YPTSocket/Message.php fails to properly sanitize the autoEvalCodeOnHTML field due to the bypass.
The server relays the message to the targeted user (to_users_id) via the WebSocket connection.
The client-side script (plugin/YPTSocket/script.js) receives the message and executes the JavaScript code within autoEvalCodeOnHTML via eval(), leading to XSS.

Impact

This vulnerability allows for unauthenticated XSS and arbitrary JavaScript execution within any logged-in user’s browser session. A successful exploit enables attackers to compromise the same-origin policy, potentially leading to session data exfiltration, authenticated XHR calls on the victim’s behalf, privilege escalation (if targeting an administrator), and mass exploitation by enumerating active users via the getClientsList request. Deployments that only patched to commit c08694bf6 remain vulnerable.

Recommendation

Apply the recommended patch by scrubbing autoEvalCodeOnHTML from every outbound carrier the relay may choose in plugin/YPTSocket/Message.php and plugin/YPTSocket/MessageSQLiteV2.php as described in the advisory.
Harden the relay in msgToResourceId() (both files) by recursively walking the chosen $obj['msg'] and unsetting autoEvalCodeOnHTML when the message originated from a non-PHP, non-CLI client.
As defense in depth, remove or gate the client-side eval(json.msg.autoEvalCodeOnHTML) at plugin/YPTSocket/script.js:573-575 behind a server-signed field rather than a plain JSON key.
Deploy the Sigma rule Detect AVideo YPTSocket autoEvalCodeOnHTML Bypass to detect attempts to exploit this vulnerability by monitoring for WebSocket messages containing the autoEvalCodeOnHTML field within a json field.