Use of insecure channel - Source code In wwbn/avideo
Description
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
Summary
objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation.
Details
Vulnerable code (objects/sendEmail.json.php):
10: $valid = Captcha::validation(@$_POST['captcha']); 11: if(User::isAdmin()){ 12: $valid = true; 13: } ... 16: if ($valid) { ... 24: $mail = new \PHPMailer\PHPMailer\PHPMailer();...
User::getEmail_() (objects/user.php:345-352): returns '' when the caller is not logged in, driving the fallback to $config->getContactEmail().
Endpoint is publicly callable. objects/functionsSecurity.php:879-918 lists sendEmail.json.php in the built-in "public write actions" CSRF/same-domain bypass:
static $builtinBypass = [ ... // Public write actions 'sendEmail.json.php', ... ]; if (in_array($baseName, $builtinBypass, true)) { return; }
Why existing defenses don't mitigate the abuse:
Captcha (Captcha::validation): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse.
FILTER_VALIDATE_EMAIL (line 43): validates $sendTo format, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address.
htmlspecialchars on $safeEmail/$safeComment/$safeFirstName: blocks HTML injection in the rendered message but does not prevent phishing content — attacker fully controls the visible text (URL, instructions) and the perceived sender.
No rate limiting, no auth check, no association between the caller and the recipient address.
Flow summary for the abuse case (unauthenticated, no contactForm):
User::getEmail_() → '', so $replyTo = site's contact email (line 32)
$sendTo = attacker's chosen recipient (line 35)
contactForm branch skipped (line 38)
Site's SMTP sends From: <site contact> to <victim> with attacker's subject/body (lines 44-51)
Because the message is genuinely relayed by the site's mail infrastructure, SPF/DKIM/DMARC for the site's domain pass, making the phishing message indistinguishable from legitimate site mail.
PoC
Endpoint: POST /objects/sendEmail.json.php (also reachable via POST /sendEmail per .htaccess:201).
# 1. Obtain a session + captcha image curl -c cookies.txt -s 'http://target.example.com/captcha.php?refresh=1' -o captcha.png # - setFrom($replyTo) -> From: is the site's real address curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \ --data-urlencode 'captcha=abc123' \ --data-urlencode '[email protected]' \ --data-urlencode 'first_name=Support Team' \...
Expected server response:
{"error":"","success":"Message sent"}
Delivered headers at [email protected]:
From: <site's legitimate contact email, e.g. [email protected]> Reply-To: <site's legitimate contact email> To: [email protected] Subject: Message From Site <SiteName> (Support Team) Body: <b>Email:</b> [email protected]<br><br>Urgent: Your account will be suspended...
Contrast with the intended contactForm=1 flow (correctly routes to the site owner):
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \ --data-urlencode 'captcha=<newcaptcha>' \ --data-urlencode '[email protected]' \ --data-urlencode 'comment=hi' \ --data-urlencode 'contactForm=1' # -> $sendTo = site owner's contact email; $replyTo = attacker's email. (Normal contact form.)
Omitting contactForm inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site's own From: identity.
Impact
Phishing with the site's real sender identity. Mail originates from the site's SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics.
Brand impersonation / account-takeover chains. Attacker-controlled subject (first_name) and body (comment) support credential-harvesting pages that appear to come from the site operator.
Mail-reputation damage. Repeated abuse can blacklist the site's sending IP/domain, degrading legitimate mail deliverability.
Works against any AVideo instance with SMTP configured — a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required.
Recommended Fix
Collapse the endpoint to contact-owner-only behavior and require either authentication or contactForm=1. Minimal patch:
// objects/sendEmail.json.php ... $valid = Captcha::validation(@$_POST['captcha']); if (User::isAdmin()) { $valid = true; } // Reject the non-contactForm branch for unauthenticated callers....
Additional hardening:
Always use a dedicated no-reply@ address in setFrom(); put the caller's address only in Reply-To. Never reuse $config->getContactEmail() as the From for user-initiated messages.
For the logged-in "share" flow, verify the caller's email has been confirmed, and rate-limit by user id and by IP.
Drop the non-contactForm branch entirely if no legitimate unauthenticated UI caller remains.
Add a visible "user-submitted message via our site" banner to the email body so recipients can distinguish these from first-party communications.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version |
|---|---|---|
 packagist | wwbn/avideo |
Aliases
References