AVideo’s CloneSite plugin exposes sensitive server details without authentication. Attackers can curl a single endpoint—plugin/CloneSite/client.log.php—and pull internal filesystem paths, remote server URLs, SSH usernames, IPs, and ports. This affects any AVideo instance with the plugin active and prior clone operations logged.
AVideo, an open-source video platform forked from YouPHPTube, powers thousands of self-hosted YouTube alternatives. Its GitHub repo (wwbn/AVideo) boasts over 3,500 stars and sees regular updates. The CloneSite plugin lets admins replicate sites via SSH, rsync, and MySQL dumps—handy for migrations but risky if logs leak. Every other endpoint in the plugin directory checks User::isAdmin(). This one doesn’t.
Vulnerability Breakdown
The file plugin/CloneSite/client.log.php dumps its raw log content. No session checks, no permissions. Logs capture commands like:
add("Clone (2 of {$totalSteps}): Geting MySQL Dump file [$cmd]");
Here, $cmd embeds wget pulls of SQL dumps with full filesystem paths—think /var/www/html/videos or custom mounts. Rsync templates reveal SSH details: rsync -avz -e "ssh -p 2222" user@192.168.1.100:/path. Publicly exposed? Attackers map your infra in seconds.
Proof-of-concept is dead simple:
curl "https://your-avideo-instance.com/plugin/CloneSite/client.log.php"
If clones ran, expect paths like /home/user/videos/MySQLDump.sql, source server IPs, and ports. Shodan scans show 5,000+ exposed AVideo instances globally; many on default ports with plugins enabled.
Why This Matters
This isn’t zero-day flair—it’s a classic misconfiguration in a niche but widespread tool. Implications hit hard for SMBs and creators self-hosting video platforms. Leaked paths enable directory traversal exploits elsewhere. SSH metadata fuels targeted brute-force or phishing: know the username and port? Pivot to the source server fast.
AVideo users often run lean VPS setups—single-server video transcoding, storage on the same box. One leak cascades: attacker fingerprints storage (S3? NFS?), database layouts, even unpatched siblings. In crypto circles, where AVideo streams NFT previews or DAO content, this invites supply-chain hits. We’ve seen similar logs dox AWS buckets or Docker volumes in past advisories.
Fair take: risk ties to usage. Unused CloneSite? Empty logs, low noise. But docs push it for “easy site cloning,” so expect adoption. No CVSS yet, but parallels CWE-200 (info leak): high if exposed (internet-facing default).
Fix and Mitigation
Patch is straightforward—add the missing auth before dumping logs:
require_once '../../videos/configuration.php';
if (!User::isAdmin()) {
http_response_code(403);
die('Access denied');
}
Drop this atop client.log.php. Restart PHP-FPM or equivalent. Broader steps: disable unused plugins, WAF rules on /plugin/CloneSite/*, audit logs post-scan. Update AVideo core (v6+ mitigates some, but plugin lags). Run Nuclei or custom scripts to check your fleet:
nuclei -u https://target.com -t cves/ -tags avideo
AVideo maintainers should merge this upstream. Found via aisafe.io—props for the spot. Self-hosters: scan now. Exposed logs don’t self-destruct; they linger until wiped.
