AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint

An unauthenticated remote attacker sends a POST request to `/plugin/LoginControl/pgp/decryptMessage.json.php` with a JSON body containing a PGP private key, ciphertext, and passphrase [ref_id=1]. The server decrypts the message and returns the plaintext, requiring no session, token, or credential [ref_id=1]. This allows anyone who can reach the endpoint to offload decryption work to the server and exposes submitted private key material to server memory and logging infrastructure [ref_id=1].

The endpoint at `decryptMessage.json.php` in the `plugin/LoginControl/pgp/` directory accepts a JSON body containing a private key, ciphertext, and passphrase, then passes them directly to the `decryptMessage()` function without any authentication check [ref_id=1].

The advisory recommends adding a `User::isLogged()` check (or equivalent session/authentication validation) at the top of `decryptMessage.json.php` before processing any user-supplied input [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is not shown; however, the mitigation would prevent unauthenticated requests from reaching the decryption routine, closing the bypass [ref_id=1].

```bash curl -s -X POST \ "https://target.example.com/plugin/LoginControl/pgp/decryptMessage.json.php" \ -H "Content-Type: application/json" \ -d '{ "textToDecrypt": "-----BEGIN PGP MESSAGE-----\n<base64_ciphertext>\n-----END PGP MESSAGE-----", "privateKeyToDecryptMsg": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n<base64_private_key>\n-----END PGP PRIVATE KEY BLOCK-----", "keyPassword": "passphrase" }' ``` [ref_id=1]