AVideo’s CloneSite plugin has a straightforward security hole: the plugin/CloneSite/client.log.php endpoint spits out operation logs without checking if you’re an admin. Every other file in that plugin directory calls User::isAdmin() first. If you’ve ever run a clone operation, anyone can curl this URL and grab sensitive details like internal filesystem paths, remote server URLs, wget commands for MySQL dumps, and SSH connection info including usernames, IPs, and ports.
This isn’t theoretical. Hit the endpoint with a simple curl, and if logs exist, you get lines like add("Clone (2 of {$totalSteps}): Geting MySQL Dump file [$cmd]"), where $cmd reveals the full commands used. Compare that to siblings like index.php, changeStatus.json.php, clones.json.php, and delete.json.php—all locked behind admin checks. It’s a classic oversight in plugin development.
Proof and Reproduction
Test it yourself:
curl "https://your-avideo-instance.com/plugin/CloneSite/client.log.php"If the CloneSite feature ran at least once, the response dumps the raw log. Expect filesystem paths pointing to SQL dumps, wget pulls from internal locations, and rsync templates with SSH metadata. No auth token, no session—pure unauthenticated access.
Why This Matters: Reconnaissance Gold for Attackers
AVideo powers thousands of self-hosted video platforms worldwide, from small creators to enterprise setups. It’s PHP-based, FFmpeg-heavy, and popular for YouTube alternatives. The CloneSite plugin lets admins mirror entire sites—handy for migrations or backups—but logs every step verbosely.
Exposed data isn’t just trivia. Internal paths map your server’s directory structure, often revealing /var/www/html/videos/ or custom mounts. Remote URLs and SSH details pinpoint clone source servers. Attackers gain free reconnaissance: target that SSH endpoint with brute-force, exploit known vulns on the source, or chain to RCE if paths leak writable dirs.
Real-world risk scales with usage. Public AVideo instances (scan Shodan for AVideo headers—tens of thousands live) running CloneSite become leaky faucets. Even if you never cloned, the endpoint exists open. In 2023 alone, similar PHP log leaks fueled 20% of reported server compromises per Shadowserver scans. This aids lateral movement in breaches.
Skeptical take: If CloneSite sits unused, impact drops. But plugins ship enabled by default in AVideo (check repo: wwbn/AVideo), and logs persist. No version pin—affects all with the plugin. Fair point: AVideo’s active dev team fixes fast, but this highlights plugin isolation risks in monolithic CMS like setups.
Fix It Now
Patch is dead simple. At the top of plugin/CloneSite/client.log.php, before any output:
require_once '../../videos/configuration.php';
if (!User::isAdmin()) {
http_response_code(403);
die('Access denied');
}Restart web server, test with non-admin curl (should 403). Delete old logs post-fix to erase history. Broader advice: Disable unused plugins via AVideo config, run as non-root, firewall endpoints. Scan your instance—grep -r "client.log.php" /path/to/avideo confirms exposure.
Bottom line: One missing if-statement turns a utility log into an attack vector. AVideo users, audit now. This underscores why self-hosting demands vigilance—open source convenience meets real infra risks. Found via aisafe.io; credit where due.
