## Summary The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (`kill.ffmpeg.json.php`, `list.ffmpeg.json.php`, `ffmpeg.php`) require `User::isAdmin()`. ## Details The entire file at `plugin/API/check.ffmpeg.json.php`: ```php <?php $configFile = __DIR__.'/../../videos/configuration.php'; require_once $configFile; header('Content-Type: application/json'); $obj = testFFMPEGRemote(); die(json_encode($obj)); ``` No `User::isAdmin()`, `User::isLogged()`, or any access control check exists. Compare with sibling endpoints in the same directory: - `kill.ffmpeg.json.php` checks `User::isAdmin()` - `list.ffmpeg.json.php` checks `User::isAdmin()` ## Proof of Concept ```bash curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php" ``` Returns information about whether the platform uses a standalone FFmpeg server and its current reachability. ## Impact Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning. ## Recommended Fix Add an admin authentication check at `plugin/API/check.ffmpeg.json.php:3`, after `require_once $configFile;`: ```php if (!User::isAdmin()) { forbiddenPage('Admin only'); } ``` --- *Found by [aisafe.io](https://aisafe.io)*
| Vendor | Product | Versions |
|---|---|---|
| composer | wwbn/avideo | composer/wwbn/avideo: <= 26.0 |
