The AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.
An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.
The file plugin/Live/on_publish_done.php processes RTMP server callbacks when a stream ends. It accepts a POST parameter name (the stream key) and directly uses it to look up and terminate the corresponding stream session.
// plugin/Live/on_publish_done.php
$row = LiveTransmitionHistory::getLatest($_POST['name'], $live_servers_id, 10);
$insert_row = LiveTransmitionHistory::finishFromTransmitionHistoryId($row['id']);
There is no authentication check anywhere in the file - no User::isLogged(), no User::isAdmin(), no token validation. The endpoint is designed to be called by the RTMP server (e.g., Nginx-RTMP), but since it is a standard HTTP endpoint, any external client can call it directly.
Additionally, stream keys can be harvested from the unauthenticated stats.json.php endpoint, which returns information about active streams including their keys.
curl -s "https://your-avideo-instance.com/plugin/Live/stats.json.php" | python3 -m json.tool
curl -X POST "https://your-avideo-instance.com/plugin/Live/on_publish_done.php" \
-d "name=STREAM_KEY_HERE"
live_transmitions_history table. The...Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H