WWBN AVideo SocialMediaPublisher Plugin LinkedIn Upload OS Command Injection Vulnerability

A command injection vulnerability has been identified in the SocialMediaPublisher plugin of WWBN AVideo, prior to version 26.0. The issue arises in the 'uploadVideoToLinkedIn()' method, which constructs a shell command by directly inserting an upload URL from LinkedIn's API response without proper sanitization. This flaw allows an attacker, under certain conditions, to inject arbitrary operating system commands that execute as the web server user.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, executed as the web server user. This could lead to unauthorized access to application files, including sensitive configuration files and database credentials, as well as the ability to modify application files or database records. According to the vulnerability advisory, this could also result in remote code execution.

Reproduction

To reproduce this vulnerability, intercept a response from the LinkedIn API that includes an upload URL. Replace the 'uploadUrl' field with a malicious URL that includes OS command injection payloads. Then, initiate the video upload process, which will execute the injected commands on the server.

Remediation

Users are advised to update to version 26.0 or later, where this vulnerability has been fixed. For those unable to update, the 'uploadVideoToLinkedIn()' method can be modified to sanitize the upload URL with 'escapeshellarg()' before executing the command. Alternatively, the 'exec()' call can be replaced with PHP's native cURL functions, which are already used in the same class.