GHSA-QXVM-R42F-5P8J: Authentication Bypass via Meet Plugin in AVideo

AVideo, formerly YouPHPTube, provides an open-source platform for video hosting and sharing. The software includes a Meet plugin designed to handle video conferencing features and recorded session uploads. This plugin exposes an endpoint at plugin/Meet/uploadRecordedVideo.json.php intended to process incoming video files from authorized meeting instances.

The endpoint relies on a shared secret for access control rather than standard user session tokens. While this mechanism verifies that the request originates from a system possessing the secret, it fails to authenticate the specific user context of the upload. This architectural decision creates an authentication bypass condition tracked under CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path).

An attacker with knowledge of the Meet shared secret can interact directly with the upload endpoint. By providing a specifically crafted filename, the attacker forces the application to establish an authenticated session for an arbitrary user. This bypasses all password and multi-factor authentication requirements for the targeted account.

The vulnerability originates from insecure identity derivation within the video upload processing script. When a request reaches plugin/Meet/uploadRecordedVideo.json.php, the application extracts the target user identifier directly from the submitted filename. The codebase implicitly trusts this user-controlled input as a verified identity claim.

Following the extraction of the users_id variable, the script invokes a passwordless variant of the User->login() method. This function is typically reserved for internal state management or secure single-sign-on flows where identity is cryptographically proven. In this context, it is called solely based on the unverified integer parsed from the filename.

The application generates a valid session cookie for the specified user and returns it in the HTTP response. The sole barrier to this code path is the "Meet shared secret", a static token evaluated before the upload is processed. If this token is known, the application performs no further validation to ensure the entity making the request holds authorization to access the specified user account.

The flaw exists in the sequence of operations handling the uploaded file parameters. The script receives the file and parses the filename string to isolate numeric identifiers. This parsed value is directly assigned to the internal user context variable.

// Vulnerable implementation pattern
$secret = $_POST['secret'];
if ($secret !== $meet_shared_secret) {
    die("Unauthorized");
}
 
// Unsafe extraction of users_id from filename
preg_match('/_user_([0-9]+)_/', $_FILES['video']['name'], $matches);
$users_id = $matches[1];
 
// Passwordless login triggered
$user = new User($users_id);
$user->login(true); // 'true' parameter skips password verification

The remediation requires removing the passwordless login logic from the upload handler entirely. The identity of the uploading user must be determined via an existing, securely established session rather than derived from file metadata. Furthermore, operations initiated by external plugins should operate under a principle of least privilege, rather than granting arbitrary session tokens.

Exploiting this vulnerability requires network access to the AVideo instance and knowledge of the Meet shared secret. This secret is often configured during the initial setup of the Meet plugin and may be documented in deployment scripts, shared among administrators, or left at default values.

The attacker constructs an HTTP POST request targeting plugin/Meet/uploadRecordedVideo.json.php. The payload includes the shared secret in the authentication header or POST body, alongside a multipart form-data file upload. The filename is crafted to match the regular expression utilized by the application, injecting the integer 1 to target the default administrative account.

Upon processing the request, the application evaluates the shared secret, successfully matches the configured value, and executes the identity derivation. The server responds with a valid PHPSESSID cookie bound to the administrative user. The attacker extracts this cookie and applies it to their browser session, achieving full administrative access to the web interface.

The vulnerability results in a total compromise of the AVideo platform. By targeting the administrator account, an external attacker gains the highest level of privilege available within the application context. This allows for arbitrary configuration changes, user management, and video content manipulation.

From an administrative context, attackers routinely escalate privileges to underlying operating system execution. Modern PHP applications typically expose features such as plugin installation, theme modification, or file management that can be abused to write arbitrary PHP files to the web root. This transforms the authentication bypass into remote code execution.

The reliance on a static shared secret mitigates the risk only marginally. Shared secrets are frequently exposed through directory traversal vulnerabilities, backup file leaks, or source code repository misconfigurations. Once the secret is compromised, the vulnerability provides a reliable, persistent backdoor into the application that functions independently of password resets.

Administrators must apply the latest security patches provided by the AVideo maintainers. The patched versions redesign the upload handling logic within the Meet plugin to rely on secure session state rather than file-derived parameters. Updating the core application and all associated plugins is required to ensure complete coverage.

Organizations utilizing the Meet plugin must rotate the "Meet shared secret" immediately. The new secret must be a cryptographically secure, highly entropic string. Administrators should verify that this secret is not hardcoded in client-side scripts or exposed in public version control repositories.

Security teams should review web server access logs for anomalous interactions with uploadRecordedVideo.json.php. Indicators of compromise include requests originating from IP addresses unrelated to the legitimate meeting infrastructure, or consecutive requests containing varying user identifiers in the upload payload. Furthermore, any passwordless session instantiation should be audited at the application layer.