Headline
CVE-2022-32772: AVideo/updateDb.v12.0.sql at e04b1cd7062e16564157a82bae389eedd39fa088 · WWBN/AVideo
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the “msg” parameter which is inserted into the document with insufficient sanitization.
Permalink
0 contributors
Users who have contributed to this file
– ### Credit
– 2022-Jul-07
–
– Discovered by Claudio Bozzato of Cisco Talos.
–
– TALOS-2022-1534
–
– Now the userUpdate.json.php requires a request from the same domain as the AVideo site
– in addition all save and delete database calls require the same by default (a whitelist can be built hardcoding it in the objects/Object.php file)
–
– TALOS-2022-1535
–
– Session ID will only change if you are not logged in
– In case the session ID changes we will regenerate it with a new name avoiding reusing it
–
– TALOS-2022-1536
–
– plugin/Live/view/Live_schedule/add.json.php and objects/playlistAddNew.json.php will deny updating if the users_id is not = as the original record when it is editing
–
– TALOS-2022-1537
–
– Add a sanitize rule on the security file
–
–
– TALOS-2022-1539
–
– Add a sanitize rule on the view/img/image403.php file itself
–
– TALOS-2022-1540
–
– Video title and the filename will always be sanitized on the setTitle method (sometimes more than once)
–
–
– TALOS-2022-1542
–
– httponly set to true
– we are now using the passhash instead of the database pass in all site
– the passhash is totally different than the original DB password, it is an encrypted JSON and has an expiration time, and also will be automatically rejected if the original password is updated
– the login with the pass hash (database password field) directly will be disabled soon, for now, it is only enabled to buy some time to update the other third parties apps
–
– TALOS-2022-1545
–
– Fixed on TALOS-2022-1542
–
– TALOS-2022-1546
–
– Filename is now sanitized with escapeshellarg(safeString($filename,true));
–
– TALOS-2022-1538
–
– all 4 parameters are sanitized now
– also if the request does not come from the same site, the showAlertMessage() function will not be executed
–
– TALOS-2022-1547
–
– Now every time the admin login we will check if the new videos/.htaccess is there, and create it if it is not
– <IfModule !authz_core_module>
– Order Allow,Deny
– Deny from all
– </IfModule>
– <IfModule authz_core_module>
– Require all denied
– </IfModule>
– <filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|ts|txt|mp4|mp3|m3u8|webp|key|css|tff|woff|woff2)$">
– <IfModule !authz_core_module>
– Order Allow,Deny
– Allow from all
– </IfModule>
– <IfModule authz_core_module>
– Require all granted
– </IfModule>
– </filesMatch>
–
– this will only allow access to only some specific file types inside the videos folder
–
– TALOS-2022-1548
–
– we now verify if is a valid URL properly, also we are using the escapeshellarg for URL and destination filename
–
– TALOS-2022-1549
–
– We now only download the downloadURL_image if it is a valid URL NOT local files anymore
–
– TALOS-2022-1551
–
– All our classes were updated using the prepared statement to avoid SQL injection
– also `videoDownloadedLink` and `duration` are now sanitized
– if you are editing anything we now “forbidIfItIsNotMyUsersId”
– key and URL are now sanitized Clone plugin
–
– TALOS-2022-1550
–
– the url_get_contents now only download files from valid URLs or files from inside the cache folder
UPDATE configurations SET version = '12.0’, modified = now() WHERE id = 1;
Related news
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. AVideo is an open-source web application that allows users to build a video streaming and sharing platform. Anyone who joins the community can host videos on-demand, launch a live stream or encode different video formats. TALOS-2022-1542 (CVE-2022-32777 - CVE-2022-32778), TALOS-2022-1549 (CVE-2022-32761) and TALOS-2022-1550 (CVE-2022-28710) are information disclosure vulnerabilities that are triggered if an adversary sends the targeted instance a specially crafted HTTP packet. TALOS-2022-1550 and TALOS-2022-1549 could allow the adversary to read arbitrarily selected files, while TALOS-2022-1542 could allow them to steal the session cookie. Some of the most serious vulnerabili...