Listen to this Post
The vulnerability exists in the `install/test.php` diagnostic script of AVideo platform. The script was intended to run only from the command line interface (CLI), but the access guard has been disabled by commenting out the `die()` statement. Specifically, at lines 5-7 of install/test.php, the original code checks `if (!isCommandLineInterface())` and should terminate with die('Command Line only');. However, the developer commented out the `return die(…)` line, leaving the script accessible via HTTP. Additionally, the script enables verbose error reporting with `error_reporting(E_ALL);` and ini_set('display_errors', '1');, which leaks internal filesystem paths when PHP warnings occur. The script then calls `VideoStatistic::getLastStatistics(getVideos_id(), User::getId())` and outputs the result using var_dump(). The `VideoStatistic` object contains sensitive fields: `ip` (viewer IP address), session_id, user_agent, users_id, and JSON metadata. The `install/` directory is not protected by `.htaccess` beyond Options -Indexes, meaning no web server rules block direct access to individual PHP files. An unauthenticated attacker can simply request `install/test.php?videos_id=1` to retrieve recent viewer statistics, including PII such as IP addresses and session identifiers. The `display_errors=1` setting further aids information disclosure by revealing full server paths on any error. This misconfiguration effectively turns a CLI-only diagnostic tool into a public data leak endpoint.
Platform: AVideo platform
Version: Unspecified versions
Vulnerability: Unauthenticated statistics disclosure
Severity: Low
date: 2026-04-05
Prediction: Expected patch 2026-04-19
What Undercode Say:
Check if install/test.php is accessible curl -s "https://target.com/install/test.php?videos_id=1" | grep -E "ip|session_id|user_agent" Simulate verbose error path leak curl -s "https://target.com/install/test.php?videos_id=invalid" | grep -E "Warning|Fatal error" Example PHP code to reproduce <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://target.com/install/test.php?videos_id=1"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $resp = curl_exec($ch); var_dump($resp); ?>
Exploit:
Send an HTTP GET request to `/install/test.php` with a valid `videos_id` parameter (e.g., 1). No authentication required. The response will contain a `var_dump()` output of the `VideoStatistic` object, exposing IP addresses, session IDs, user agents, and user IDs of recent viewers. If the parameter is invalid, PHP warnings reveal absolute filesystem paths.
Protection from this CVE:
Uncomment the CLI guard in `install/test.php` around line 6 to restore if (!isCommandLineInterface()) { return die('Command Line only'); }. Alternatively, remove or restrict access to the entire `install/` directory via web server configuration (e.g., `Require ip 127.0.0.1` in Apache or `deny all` in Nginx). Disable `display_errors` in production by setting `display_errors = Off` in php.ini.
Impact:
Unauthenticated attackers can harvest viewer IP addresses (GDPR-sensitive PII), session identifiers (allowing session hijacking), user agents, and internal server paths. This information aids in further attacks such as session fixation, targeted phishing, or infrastructure mapping. The leak violates privacy regulations and exposes the platform to compliance penalties.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

