Files.gallery Command Injection Vulnerability in Video Thumbnail Rendering Component

A command injection vulnerability has been identified in Karl Ward's files.gallery versions 0.3.0 through 0.11.0. This vulnerability allows remote attackers to execute arbitrary code by uploading a crafted video file. The issue arises in the video thumbnail rendering component, where user-controlled input is not properly sanitized before being passed to a command execution function. Exploitation requires that ffmpeg is available in the system's PATH, that file uploads are allowed in the application's configuration, and that the exec function is enabled in the PHP configuration.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, upload a video file with a crafted filename that includes a command substitution payload, ensuring the file contains the appropriate magic bytes to be recognized as a valid MP4 file. After uploading, refresh the application to trigger the thumbnail rendering process, which will execute the embedded command and establish a reverse shell connection.