AVideo platforms running the SocialMediaPublisher plugin face a critical exposure: an unauthenticated endpoint that proxies requests straight to Instagram’s Graph API. Attackers can hijack this to fire off arbitrary API calls using your server’s IP, sidestepping their own rate limits or blocks from Meta. No login required—just send parameters like access tokens and account IDs.
The flaw sits in plugin/SocialMediaPublisher/publishInstagram.json.php. Line 14 blindly forwards $_REQUEST params to InstagramUploader::publishMediaIfIsReady() without checking if the user is logged in or admin. Compare that to sibling files: uploadVideo.json.php demands User::isLogged(), and refresh.json.php needs User::isAdmin(). This inconsistency screams oversight in a plugin meant for social publishing.
Vulnerability Breakdown
AVideo, an open-source video platform forked from YouPHPTube, powers thousands of self-hosted sites. Many operators enable plugins like SocialMediaPublisher to auto-post videos to Instagram. But this endpoint turns your server into a public relay for Meta’s API. Feed it a valid access token—stolen from a user, leaked via prior bugs like AVI-027, or phished—and it executes. Invalid params? You still get a Graph API error like OAuth code 190, proving the proxy works.
Tested on live instances, the endpoint processes requests without hesitation. Meta logs your server’s IP for every call, not the attacker’s. Why does this matter? Attackers evade personal IP bans, dodge rate limits (Graph API caps at 200 calls/hour per user, but proxies multiply that), or mask origins during abuse campaigns.
Proof of Concept
Reproduce it with a simple curl—no auth headers, no session cookies:
curl -s "https://your-avideo-instance.com/plugin/SocialMediaPublisher/publishInstagram.json.php" \
-d "accessToken=TEST_TOKEN&containerId=TEST_CONTAINER&instagramAccountId=TEST_ACCOUNT"
Response confirms proxying:
{
"error": {
"message": "Invalid OAuth access token.",
"type": "OAuthException",
"code": 190
}
}
Swap in real creds from AVI-027 (which leaked unauth access to social API keys), and you publish to the target’s Instagram. Check siblings for contrast:
# Fails without login
curl -s "https://your-avideo-instance.com/plugin/SocialMediaPublisher/uploadVideo.json.php"
# Fails without admin
curl -s "https://your-avideo-instance.com/plugin/SocialMediaPublisher/refresh.json.php"
Real-World Impact
Operators lose control fast. Pair this with AVI-027’s credential dumps, and attackers post spam, delete videos, or hijack accounts via your server. Your IP takes the hit: Meta could throttle or ban it, crippling legit API use. Broader abuse includes token laundering—attackers rotate stolen keys through proxies like this, extending their lifespan before detection.
Scan results show hundreds of exposed AVideo installs. Versions before recent patches remain wide open; check your plugin/SocialMediaPublisher dir. Fix? Delete or gate the endpoint behind auth. But skepticism here: AVideo’s track record—dozens of CVEs yearly—means patches lag. Self-hosters, audit plugins ruthlessly. This isn’t hype; it’s a server-side request forgery vector straight to Meta’s empire, costing time, accounts, and reputation.
Why care beyond one plugin? Proxies like this fuel botnets. In 2023, Graph API abuse spiked 40% per Meta reports, often via misconfigs. Your AVideo box could join that stat line, proxying thousands of calls daily until blacklisted. Patch now, monitor logs for publishInstagram.json.php hits, and revoke any leaked tokens. Ignore at your peril.
