Cross-site request forgery In wwbn/avideo
Description
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php Severity: Medium CWE: CWE-352 (Cross-Site Request Forgery)
Summary
The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Details
In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:
$pluginDO->skin = $_POST['skin'];
No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.
AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.
An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.
Proof of Concept
Host the following HTML on an attacker-controlled domain:
<!DOCTYPE html> <html> <head><title>CSRF Player Skin</title></head> <body> <h1>Loading video...</h1> <form id="csrf" method="POST" action="https://your-avideo-instance.com/admin/playerUpdate.json.php"> <input type="hidden" name="skin" value="minimalist" />...
When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.
Impact
Platform-wide player appearance modification without admin consent
Potential disruption of video playback if an invalid skin value is set
The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
Can be used as part of a broader defacement or social engineering attack
Recommended Fix
Add CSRF token validation at admin/playerUpdate.json.php, before processing POST data:
// admin/playerUpdate.json.php (before line 17) if (!isGlobalTokenValid()) { die('{"error":"Invalid CSRF token"}'); }
Found by aisafe.io
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 29.0 |
Aliases
References