Authentication mechanism absence or evasion In wwbn/avideo
Description
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Summary
The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().
Details
The entire file at plugin/API/check.ffmpeg.json.php:
<?php $configFile = __DIR__.'/../../videos/configuration.php'; require_once $configFile; header('Content-Type: application/json'); $obj = testFFMPEGRemote(); die(json_encode($obj));...
No User::isAdmin(), User::isLogged(), or any access control check exists.
Compare with sibling endpoints in the same directory:
kill.ffmpeg.json.php checks User::isAdmin()
list.ffmpeg.json.php checks User::isAdmin()
Proof of Concept
curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"
Returns information about whether the platform uses a standalone FFmpeg server and its current reachability.
Impact
Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.
Recommended Fix
Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3, after require_once $configFile;:
if (!User::isAdmin()) { forbiddenPage('Admin only'); }
Found by aisafe.io
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 29.0 |
Aliases
References