The CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the par request parameter.
The CDN plugin defines a default empty key in plugin/CDN/CDN.php:68:
$obj->key = "";
The status.json.php endpoint authenticates requests using this key, but the check has a critical logic flaw at lines 16-27:
// Line 16-19: Requires attacker to provide SOME key value
if (empty($_REQUEST['key'])) {
$resp->msg = 'Key is empty';
die(json_encode($resp));
}
// Line 21-26: Only validates key IF stored key is non-empty
if (!empty($obj->key)) { // When key is "" (default), this is FALSE
//check the key
if ($obj->key !== $_REQUEST['key']) {
$resp->msg = 'Key Does not match';
die(json_encode($resp));
}
}
When the stored key is the default empty string "", !empty("") evaluates to false, and the entire key comparison block is skipped. Any non-empty value provided by the attacker passes authentication.
Following the bypass, lines 28-31 perform unchecked mass-assignment:
$obj->key = $_REQUEST['key'];
foreach ($_REQUEST['par'] as $key => $value) {
$obj->{$key} = $value;
$resp->{$key} = $value;
}
The attacker-controlled par array sets arbitrary properties on the plugin data object. At line 95, the modified object is persisted to the database:
$cdn = AVideoPlugin::loadPluginIfEnabled('CDN');
$id = $cdn->setDataObject($obj);
setDataObject() in Plugin.abstract.php:263 serializes the entire object to JSON and saves it, making all mass-assigned properties...
Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:LI:HA:L8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L