WWBN AVideo Path Traversal Vulnerability in listFiles.json.php Endpoint Allows Unauthorized Filesystem Enumeration

A path traversal vulnerability has been identified in WWBN AVideo versions prior to 26.0. The issue resides in the `listFiles.json.php` endpoint, which accepts a `path` POST parameter and passes it directly to the `glob()` function without proper validation. This flaw allows authenticated uploaders to traverse the server filesystem by providing arbitrary absolute paths. The vulnerability enables enumeration of `.mp4` files and their full filesystem paths, including locations outside the web root, such as private or premium media directories.

Impact

Exploitation of this vulnerability allows unauthorized enumeration of private or premium `.mp4` files stored outside the user's permitted directory. It also discloses full absolute paths of these files, revealing sensitive server directory structures that could aid in further attacks. Additionally, in AVideo deployments where premium content is stored in unprotected filesystem directories, this vulnerability could bypass application access controls, facilitating direct access to the enumerated files if other weaknesses are present.

Reproduction

To reproduce this vulnerability, authenticate as a user with `canUpload` permission, which is typically granted to all video uploaders on a multi-user AVideo instance. Once authenticated, send a POST request to the `listFiles.json.php` endpoint with a `path` parameter set to an arbitrary absolute path. The response will include the full absolute paths of all `.mp4` files located in the specified directory. This vulnerability can be exploited by traversing outside the intended upload directory to access private or premium content stored in restricted locations.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been patched. For those using version 14.0 or earlier, the recommended fix is to modify the `listFiles.json.php` endpoint to validate and restrict the `path` parameter before it is used with `glob()`. This can be done by checking that the resolved path starts with an allowed base directory, thereby preventing unauthorized traversal.