{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/information_disclosure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["avideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["avideo","information_disclosure","database_dump"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, a video sharing platform, is vulnerable to an unauthenticated information disclosure flaw in its CloneSite plugin. The vulnerability resides in the \u003ccode\u003eplugin/CloneSite/cloneClient.json.php\u003c/code\u003e endpoint. This endpoint inadvertently echoes the local CloneSite shared secret (\u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e) in HTTP responses without requiring any form of authentication. This secret is intended to authenticate requests between federated AVideo instances using the CloneSite plugin. An attacker can exploit this vulnerability by simply sending a GET request to the vulnerable endpoint, obtaining the \u003ccode\u003emyKey\u003c/code\u003e. When the AVideo installation is federated with a remote CloneSite server, the attacker can use the leaked \u003ccode\u003emyKey\u003c/code\u003e to impersonate the victim client and trigger a full database dump of the remote server. This database dump includes sensitive information such as user credentials, payment records, and API keys. The vulnerability affects AVideo version 29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003ehttps://victim.example.com/plugin/CloneSite/cloneClient.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo server echoes the local \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e within the HTTP response body due to a flawed error message construction.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the leaked \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e from the response.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the remote CloneSite server (\u003ccode\u003ehttps://remote-server.example.com/plugin/CloneSite/cloneServer.json.php\u003c/code\u003e) using the leaked \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e and the victim\u0026rsquo;s URL.\u003c/li\u003e\n\u003cli\u003eThe remote CloneSite server validates the attacker\u0026rsquo;s request using the provided key, successfully authenticating the attacker as the victim client.\u003c/li\u003e\n\u003cli\u003eThe remote server executes a \u003ccode\u003emysqldump\u003c/code\u003e command, dumping the entire database (excluding \u003ccode\u003eCachesInDB\u003c/code\u003e) to a publicly accessible directory (\u003ccode\u003evideos/clones/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the database dump from the remote server via an unauthenticated HTTP GET request to \u003ccode\u003ehttps://remote-server.example.com/videos/clones/Clone_mysqlDump_*.sql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the database dump, gaining access to sensitive information such as user credentials, payment records, and API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any unauthenticated attacker to retrieve the CloneSite shared secret (\u003ccode\u003emyKey\u003c/code\u003e) of any AVideo installation with the CloneSite plugin enabled. When the affected installation is federated with a remote CloneSite server, the attacker can impersonate the victim client and trigger a full database dump of the remote server containing sensitive data. This can lead to the compromise of user accounts, financial information, and sensitive plugin configurations on the remote server. This vulnerability permits unauthorized access to critical data, potentially resulting in severe data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by not echoing the expected key in the rejection message within \u003ccode\u003eplugin/CloneSite/cloneClient.json.php\u003c/code\u003e, and reject non-CLI / non-admin callers cleanly, as detailed in the overview (see code snippet in advisory).\u003c/li\u003e\n\u003cli\u003eImplement the additional hardening recommendations, including replacing the static \u003ccode\u003emyKey\u003c/code\u003e with a randomly generated, per-installation key stored in the plugin configuration that can be rotated.\u003c/li\u003e\n\u003cli\u003eOn the remote side (\u003ccode\u003ecloneServer.json.php\u003c/code\u003e), consider requiring the \u003ccode\u003esqlFile\u003c/code\u003e path to be unguessable (already is, via \u003ccode\u003euniqid()\u003c/code\u003e) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token.\u003c/li\u003e\n\u003cli\u003eServe \u003ccode\u003evideos/clones/\u003c/code\u003e with an \u003ccode\u003e.htaccess\u003c/code\u003e/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-avideo-clonesite-leak/","summary":"AVideo is vulnerable to unauthenticated information disclosure via the `plugin/CloneSite/cloneClient.json.php` endpoint, which echoes the local CloneSite shared secret (`$objClone-\u003emyKey`) in HTTP responses without authentication, enabling cross-site database dumps of the configured clone server.","title":"AVideo CloneSite Unauthenticated Information Disclosure Leading to Remote Database Dump","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-clonesite-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Information_disclosure","version":"https://jsonfeed.org/version/1.1"}