Unauthenticated Stored DOM XSS in AVideo YPTSocket Plugin via Broadcast Metadata

Vulnerability Description

This is a stored DOM-based Cross-Site Scripting vulnerability (CWE-79) in the AVideo YPTSocket plugin. The root cause lies in the absence of input validation on attacker-controlled parameters (webSocketSelfURI and page_title) at the WebSocket token issuance stage. These parameters are read from the connection URL, stored without sanitization in an in-memory SQLite connections table, and subsequently broadcast to all authenticated clients. On the client-side, the page_title parameter is interpolated directly into an HTML template literal and passed to jQuery's $.append() method, which parses the attacker-supplied bytes into executable DOM nodes. The impact is arbitrary JavaScript execution in the authenticated session context of every administrator currently viewing the YPTSocket online-users debug panel.

Proof-of-Concept Significance

This PoC demonstrates a critical precondition: the WebSocket token endpoint (getWebSocket.json.php) performs minimal access control—checking only that the YPTSocket plugin is enabled, with no authentication requirement. This means any unauthenticated remote attacker can obtain a valid WebSocket token and connect to the broadcast channel. The vulnerability is reliable because the injection point (page_title) persists in the shared data store and is automatically re-broadcast to all connected authenticated clients on each connection event, ensuring high probability of exploitation.

Detection Guidance

Network/Log Indicators:

• Monitor WebSocket connections to /plugin/YPTSocket/getWebSocket.json.php from unauthenticated sources
• Inspect WebSocket frames for users_id_online broadcasts containing HTML-like syntax, event handlers (onerror, onload, etc.), or script tags in the page_title field
• Flag SQLite query patterns in application logs showing insertions into the connections table with unquoted or HTML-bearing data

HTTP Request Patterns:

• Requests to getWebSocket.json.php with webSocketSelfURI or page_title parameters containing <, >, quotes, or encoded equivalents
• Absence of Authorization or session cookie headers on token-issuance requests

Client-Side Detection:

• Browser console errors or unexpected script execution following YPTSocket connection establishment
• DOM mutations in the online-users panel containing injected HTML elements

Mitigation Steps

Immediate Actions:

1. Disable the YPTSocket plugin if not actively required
2. Restrict access to /plugin/YPTSocket/ endpoints via WAF rules or network ACLs to authenticated users only
3. Implement CSP headers with script-src 'self' and img-src 'self' to mitigate inline event handler execution

Patching & Remediation:

1. Update AVideo to the patched version when available
2. In the interim, add server-side input validation in getEncryptedInfo() and MessageSQLiteV2::onOpen() to strip or reject HTML metacharacters and event handler attributes from all query parameters
3. Sanitize the page_title parameter on the client-side before DOM insertion; use .textContent instead of $.append() for user-controlled data, or use a DOM-safe templating library that auto-escapes
4. Require authentication for getWebSocket.json.php

Risk Assessment

This vulnerability poses a critical risk in production environments because: (1) it requires no authentication, (2) it affects high-privilege users (administrators), (3) exploitation is reliable and automatable, and (4) the damage scope includes full session hijacking or credential theft. Threat actors actively scanning for publicly exposed AVideo instances are likely to prioritize this attack vector. Exploitation in the wild is probable if the plugin is widely deployed and internet-facing. Organizations running AVideo should treat this as a priority patch candidate.