WWBN AVideo Path Traversal Vulnerability in CloneSite Plugin Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in WWBN AVideo versions prior to 26.0, specifically within the CloneSite plugin. The issue arises in the 'deleteDump' parameter of 'plugin/CloneSite/cloneServer.json.php', where user input is directly passed to the 'unlink()' function without proper path sanitization. This flaw allows attackers with valid clone credentials to manipulate the file path by using traversal sequences to delete arbitrary files on the server. Critical application files, such as 'configuration.php', can be targeted, leading to a complete denial of service or facilitating further attacks by removing essential security files.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server, including application source code, configuration files, and uploaded media. Deleting 'configuration.php' disrupts the entire AVideo application, causing fatal errors on every page load. Additionally, removal of access control files like '.htaccess' can expose protected directories, while deleting specific plugin or authentication files may further weaken the application's security, potentially leading to additional attacks.

Reproduction

To reproduce this vulnerability, a valid clone URL and key pair registered with an admin approval are required. First, verify that the target file, such as 'configuration.php', exists on the server. Then, send a request to 'plugin/CloneSite/cloneServer.json.php' with the 'deleteDump' parameter set to a path traversal payload that escapes the 'clonesDir' directory and targets the desired file. The response should confirm the file deletion, which can be verified by checking the file's availability on the server. Once 'configuration.php' is deleted, the AVideo application will fail to function, as this file is crucial for the application's operation.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been patched. The fix involves adding proper path validation to the 'deleteDump' parameter, ensuring that only files within the designated 'clonesDir' directory can be deleted.