WWBN AVideo Race Condition Vulnerability in aVideoEncoder.json.php Unzip Functionality Allowing Arbitrary Code Execution

A race condition vulnerability has been identified in the unzip functionality of the aVideoEncoder.json.php file in WWBN AVideo versions 14.4 and the development master commit 8a8954ff. This vulnerability allows arbitrary code execution by exploiting the way uploaded zip files are handled. When a zip file is uploaded, it is extracted into a directory designated for video files. However, due to the race condition, an attacker can send an HTTP request to execute files, such as a .phar file, before the extraction process is completed and the directory is cleaned of unauthorized file types. This exploitation is possible because the .htaccess file in the videos directory does not properly block the execution of .phar files, creating a window of opportunity for executing arbitrary PHP code.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary PHP code on the server.

Reproduction

To reproduce this vulnerability, upload a zip file containing a .phar file through the video upload feature in AVideo. Ensure that the 'format' parameter is set to 'zip' and that the 'resolution' parameter matches one of the allowed values. The .phar file will be extracted into a directory that is accessible via HTTP, taking advantage of the race condition before the directory is cleaned of non-whitelisted file types.

Remediation

Users are advised to update to the patched version released by the vendor.