Kalcaddle Kodbox Command Injection Vulnerability in Media File Preview Plugin

A command injection vulnerability has been identified in Kalcaddle Kodbox versions through 1.64.05. The issue resides in the Media File Preview Plugin, specifically within the VideoResize.class.php file. The vulnerability arises in the 'run' function, where user-controlled file paths are directly concatenated into a shell command for executing 'ffmpeg'. This flaw allows authenticated remote attackers to inject arbitrary system commands by exploiting shell metacharacters in the file name, particularly during the video transcoding process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the commands being executed under the privileges of the web server process.

Reproduction

To reproduce this vulnerability, upload a video file with a crafted filename containing shell metacharacters to a server running Kalcaddle Kodbox version 1.64.05 or earlier, with the Media File Preview Plugin enabled. After uploading the file, retrieve the file path from the upload response and send a request to the transcoding interface, using the path of the uploaded file. The injected commands can be verified by checking for a received connection on a listener set up on the server.