AVideo Platform, Unauthenticated Log File Disclosure, No CVE (Medium)

Listen to this Post

How the mentioned CVE works (around 20 lines):

The vulnerability resides in `plugin/CloneSite/client.log.php` which includes a sensitive log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(), but this file does not. The entire code of `client.log.php` is simply:

`

No session validation, no permission check. The log file is populated by `cloneClient.json.php` during clone operations. Specifically, at line 118 of cloneClient.json.php, the script writes wget commands containing internal filesystem paths, and rsync command templates that expose SSH connection details (username, IP address, port). An attacker can directly request the endpoint:
`curl “https://target-avideo.com/plugin/CloneSite/client.log.php”`
If the CloneSite feature has ever been used, the response returns the entire client.log content. This includes wget commands with SQL dump file locations, rsync commands with SSH metadata, and other internal paths. Comparing with sibling endpoints – index.php, changeStatus.json.php, clones.json.php, `delete.json.php` – all check User::isAdmin(), making this omission glaring. No CVE ID has been assigned yet, but the vulnerability is confirmed by aisafe.io. The lack of authentication allows any unauthenticated user to read infrastructure details, which aids further targeted attacks.

dailycve form:

Platform: AVideo CloneSite Plugin
Version: All CloneSite versions
Vulnerability: Unauthenticated log disclosure
Severity: Medium
date: 2026-04-05

Prediction: Pending vendor patch

What Undercode Say:

Check if endpoint is exposed
curl -s -o /dev/null -w "%{http_code}" https://target.com/plugin/CloneSite/client.log.php
Extract sensitive data
curl -s https://target.com/plugin/CloneSite/client.log.php | grep -E "wget|rsync|ssh|mysql"
Log analysis for unauthorized access
sudo grep "plugin/CloneSite/client.log.php" /var/log/nginx/access.log | awk '{print $1,$7,$9}'
Monitor for exploitation attempts
tail -f /var/log/apache2/access.log | grep "client.log.php"

Exploit:

curl https://victim-avideo.com/plugin/CloneSite/client.log.php

The response leaks internal paths, wget commands (e.g., `wget http://internal-server/backup.sql`), rsync templates (e.g., `rsync -avz -e ‘ssh -p 2222’ [email protected]:/var/www/), and MySQL dump file locations.
<h2 style="color: blue;">Protection from this CVE</h2>
<h2 style="color: blue;">Add authentication check at the top of
plugin/CloneSite/client.log.php:</h2>

<?php
require_once '../../videos/configuration.php';
if (!User::isAdmin()) {
http_response_code(403);
die('Access denied');
}
include '../../videos/cache/clones/client.log';

Alternatively, remove the file or restrict access via.htaccess`:

<Files "client.log.php">
Require ip 127.0.0.1
</Files>

Impact:

Unauthenticated attackers gain internal filesystem paths, remote server URLs, SSH connection metadata (username, IP, port), and SQL dump locations. This information can be used to pivot to clone source servers, extract databases, or execute further attacks on the infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top