Listen to this Post
How the CVE works (around 20 lines):
The vulnerability exists in objects/userSavePhoto.php, a legacy endpoint that accepts a base64-encoded image via POST and writes decoded bytes to videos/userPhoto/photo<USER_ID>.png. Its only access control is `User::isLogged()` – no CSRF token, no Origin/Referer check, and no MIME validation. The endpoint lacks the `.json.php` suffix, so AVideo’s global `autoCSRFGuard` (which only runs on `.json.php` scripts) never executes. The application sets session cookies to `SameSite=None; Secure` on HTTPS, allowing browsers to attach them to cross-site POSTs. An attacker hosts a malicious HTML form that auto-submits to `/objects/userSavePhoto.php` with a crafted `imgBase64` parameter. When a logged-in victim visits the attacker’s page, the browser sends the request with the victim’s PHPSESSID cookie. The endpoint decodes the attacker’s base64 data (any bytes up to ~6 MB), writes them to the victim’s deterministic profile photo path, and calls `clearCache(true)` – invalidating all application caches. No image validation is performed: `base64DataToImage()` only decodes base64; `getimagesizefromstring()` or `imagecreatefromstring()` are never called. The attacker can overwrite any logged-in user’s profile photo with arbitrary content (e.g., offensive images, impersonation) and repeatedly trigger global cache thrashing or disk exhaustion via multiple victims.
dailycve form (3 words max per line):
Platform: AVideo platform
Version: All prior versions
Vulnerability: CSRF + defacement
Severity: Critical (8.8)
Date: 2022-08-23
Prediction: Patched August 2022
What Undercode Say:
Verify vulnerable endpoint responds without CSRF token
curl -X POST https://victim.example.com/objects/userSavePhoto.php \
-d "imgBase64=$(echo -n 'ATTACKER_BYTES' | base64)" \
-b "PHPSESSID=victim_session" -v
Generate malicious HTML PoC (auto-submit form)
cat <<EOF > poc.html
<form id="csrf" action="https://victim.example.com/objects/userSavePhoto.php" method="POST">
<input name="imgBase64" value="$(base64 -w0 fake.png)">
</form>
<script>document.getElementById('csrf').submit();</script>
EOF
Check overwritten profile photo
curl https://victim.example.com/videos/userPhoto/photo<USER_ID>.png
Exploit:
Attacker lures logged-in victim to a crafted HTML page containing a hidden form that POSTs to `/objects/userSavePhoto.php` (or `/savePhoto` via .htaccess rewrite). The form includes a base64 payload – any bytes (e.g., a malicious PNG, text, or large garbage). Upon auto-submission, the victim’s session cookie is sent due to SameSite=None. The server writes the decoded payload to photo<victim_id>.png, replacing the profile photo. Repeated submissions trigger `clearCache(true)` after each write, causing performance degradation. No CORS preflight is required because the POST uses `application/x-www-form-urlencoded` (simple request).
Protection from this CVE
Apply the same-origin guard used for `.json.php` endpoints: add `require_once ‘objects/functionsSecurity.php’; forbidIfIsUntrustedRequest(‘userSavePhoto’);` at the start of userSavePhoto.php. Validate image content with `@imagecreatefromstring()` and reject non‑PNG data. Optionally limit file size (e.g., 1.5 MB decoded). Change global cookie policy to `SameSite=Lax` or `Strict` for non‑critical sessions. Broaden `autoCSRFGuard` to cover all authenticated POST handlers, not only .json.php. Move `clearCache(true)` inside the `if ($bytes)` branch to avoid cache invalidation on zero-byte writes.
Impact:
- Integrity – Profile defacement of any logged‑in user; attacker replaces photo with arbitrary bytes (offensive imagery, impersonation).
- Availability – Global cache thrash: each forged request calls
clearCache(true), invalidating all application caches. Repeated attacks cause sustained slowdown. - Disk exhaustion – Up to ~6 MB per write with no size cap; multiple victims can fill storage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
