WWBN AVideo Disk Exhaustion Vulnerability in aVideoEncoderChunk.json.php Endpoint

A denial-of-service vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises from the aVideoEncoderChunk.json.php endpoint, which is a standalone PHP script lacking authentication, framework integration, and resource limits. This allows unauthenticated remote attackers to send arbitrary POST data that is written to temporary files in the /tmp/ directory without any size restrictions, rate limiting, or cleanup mechanism. As a result, the vulnerability can be easily exploited to exhaust disk space, causing a denial-of-service condition on the server.

Impact

Exploitation of this vulnerability leads to disk space exhaustion, causing widespread denial-of-service effects on the server. PHP session handling fails, MySQL temp tables encounter issues, and system services relying on tmpfs crash, potentially bringing down the entire server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the aVideoEncoderChunk.json.php endpoint without authentication. The request can include a large payload, such as 100MB, which the server will accept and write to a temporary file in the /tmp/ directory. This process can be automated with a script that sends multiple concurrent requests, quickly exhausting available disk space. After the files are created, they can be verified to persist indefinitely, as there is no automatic cleanup process.

Remediation

Users are advised to update to the patched version of AVideo, which includes authentication, size limits, and a cleanup mechanism for temporary files. The latest version can be obtained from the official AVideo GitHub repository.