AVideo (YouPHPTube) Live Plugin, Authorization Bypass, CVE-2025-XXXX (High)

Listen to this Post

How the CVE Works

The vulnerability exists in `plugin/Live/uploadPoster.php` which handles poster image uploads for live streams. The endpoint accepts a `live_schedule_id` from `$_REQUEST` (line 11-12) to identify the target schedule. It verifies the user is logged in using `User::isLogged()` (line 14-17) but performs no ownership validation. An attacker can supply any numeric live_schedule_id, including those belonging to other users. The `Live_schedule` constructor loads schedule data by ID without authorization checks. File paths are generated using Live_schedule::getPosterPaths(), which builds paths solely from the provided ID. The uploaded file is moved to the victim’s poster path via `move_uploaded_file()` (line 48), overwriting the legitimate image. After a successful overwrite, the endpoint triggers a `socketLiveOFFCallback` broadcast (line 67-73). This uses `Live::notifySocketStats()` which calls sendSocketMessageToAll(), broadcasting the victim’s broadcast key and user ID to all connected WebSocket clients. The absence of an ownership check is an oversight, as parallel endpoints like `uploadPoster.json.php` and `view/Live_schedule/uploadPoster.php` contain proper authorization checks comparing the schedule owner’s user ID with the logged-in user.

dailycve form:

Platform: AVideo YouPHPTube
Version: 14.0 – 15.0
Vulnerability: Unauthorized Poster Overwrite
Severity: High
date: 2026-03-30

Prediction: 2026-04-15

What Undercode Say:

Enumerate live schedule IDs
for i in {1..100}; do echo "Checking ID $i"; curl -s -b cookies.txt "https://target.com/plugin/Live/uploadPoster.php?live_schedule_id=$i" -F "[email protected]" -F "live_servers_id=0"; done
Extract broadcast key from WebSocket notifications
Requires intercepting WebSocket traffic or analyzing socket.io logs

Exploit:

1. Authenticate as a low-privilege user.

  1. Send a POST request to `plugin/Live/uploadPoster.php` with a malicious image and a target live_schedule_id.
  2. The server overwrites the target poster without authorization.
  3. All connected WebSocket clients receive the victim’s broadcast key and user ID.

Protection from this CVE

  • Apply patch adding ownership check: `if ($ls->getUsers_id() != User::getId() && !User::isAdmin()) { die(‘Not authorized’); }`
    – Upgrade to patched version immediately.
  • Implement strict validation on all endpoints interacting with live_schedule_id.

Impact

  • Content Tampering: Attacker replaces any scheduled live stream poster with malicious images.
  • Information Disclosure: Victim’s broadcast key and user ID are leaked to all WebSocket clients.
  • Stream Disruption: Fake offline notifications mislead viewers, damaging stream availability.
  • Privilege Escalation: Low-privilege users can affect any scheduled stream without ownership.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top