WWBN AVideo Path Traversal Vulnerability in HLS Streaming Endpoint Allows Unauthorized Access to Private and Paid Videos

A path traversal vulnerability has been identified in the HLS streaming endpoint of WWBN AVideo, an open-source video platform, prior to version 26.0. This vulnerability allows an unauthenticated attacker to stream private or paid videos by exploiting the `videoDirectory` GET parameter. The issue arises from a split-oracle condition, where authorization is checked against one video while content is served from another, enabling unauthorized access to restricted videos.

Impact

Exploitation of this vulnerability allows any unauthenticated user to stream private, unlisted, or paid videos on the platform. This includes bypassing pay-per-view or subscription protections, violating privacy for restricted videos, and potentially leading to large-scale content theft, as video filenames can be easily enumerated.

Reproduction

To reproduce this vulnerability, send a request to the `view/hls.php` endpoint with a `videoDirectory` parameter that includes a public video directory followed by a traversal sequence to a private video. The request will bypass authorization and stream the private video.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been fixed.