WWBN AVideo Path Traversal Vulnerability in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion

A path traversal vulnerability has been identified in WWBN AVideo versions through 26.0. The issue resides in the 'objects/import.json.php' endpoint, which accepts a user-controlled 'fileURI' POST parameter. The endpoint only performs a regex check to ensure the value ends with '.mp4', lacking any directory restrictions. This oversight enables authenticated users with upload permissions to steal private videos from other users, read adjacent '.txt', '.html', or '.htm' files, and delete '.mp4' files and related text files if they are writable by the web server.

Impact

Exploitation of this vulnerability allows for unauthorized access to private videos, adjacent file reading, and deletion of video files and metadata, leading to data loss.

Reproduction

To reproduce this vulnerability, an authenticated user with upload permission can send a POST request to the 'objects/import.json.php' endpoint. The 'fileURI' parameter must be crafted to include the path of a target user's private video file. Once the request is processed, the video will be imported into the attacker's account. Additionally, if the target video has an adjacent description file, its contents can be exfiltrated by the same import process. The vulnerability also allows for the deletion of the target video and its description files, if writable by the web server.

Remediation

Users are advised to update to the patched version, which includes the necessary directory restrictions to prevent path traversal. The specific commit with the fix can be found on the WWBN AVideo GitHub repository.