WWBN AVideo Authenticated Remote Code Execution Vulnerability in Plugin Upload Functionality

A remote code execution vulnerability has been identified in WWBN AVideo versions prior to 24.0. This issue arises from the plugin upload and import feature, where authenticated administrators can upload ZIP archives containing executable server-side files. The vulnerability is due to inadequate validation of the extracted file contents, allowing the archives to be extracted directly into a web-accessible plugin directory. This oversight enables the execution of arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary code on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a ZIP file containing PHP scripts with malicious code through the plugin import feature. The uploaded ZIP file is then extracted into a directory accessible via the web, where the PHP scripts can be executed.

Remediation

Users are advised to upgrade to AVideo version 24.0 or later, which includes patches for this vulnerability. If an immediate upgrade is not possible, the plugin upload and import functionality can be disabled, or the web server can be configured to block the execution of PHP files in the plugin upload directories.