WWBN AVideo Arbitrary Local File Read Vulnerability in aVideoEncoder.json.php

A vulnerability allowing authenticated users to read arbitrary local files has been identified in WWBN AVideo versions through 26.0. The issue arises in the `POST /objects/aVideoEncoder.json.php` endpoint, which accepts a user-controlled `chunkFile` parameter for uploading video chunks. Instead of limiting this parameter to safe, server-generated file locations, the endpoint allows access to a wide range of local filesystem paths that pass the `isValidURLOrPath()` validation. This includes directories like `/var/www/`, the application root, cache, temporary files, and the `videos` directory, while only excluding `.php` files. Exploiting this vulnerability involves injecting a path to a readable file, which is then copied to the user's public video storage, where it can be downloaded via HTTP.

Impact

Successful exploitation allows for authenticated users to read arbitrary local files, with the potential to access sensitive information such as TLS private keys.

Reproduction

To reproduce this vulnerability, log in as an authenticated user with upload permissions. Create a video to obtain a `videos_id`, then send a POST request to `aVideoEncoder.json.php` with the `chunkFile` parameter set to a path of a readable file on the server. The file will be copied to the user's public video directory and can be downloaded from there.

Remediation

Users can update to the latest version of WWBN AVideo, where this vulnerability has been patched.