WWBN AVideo Unauthenticated Local File Inclusion Vulnerability in API Locale Endpoint Allowing Remote Code Execution

A vulnerability exists in WWBN AVideo versions through 26.0, where an unauthenticated API endpoint named 'locale' allows for local file inclusion. The endpoint concatenates user input into an include path without proper validation, enabling path traversal. This flaw can be exploited to include arbitrary PHP files under the web root, leading to unauthorized file disclosure and execution of the included PHP code. The vulnerability could escalate to remote code execution if an attacker can place or control a PHP file in a writable directory.

Impact

Exploitation of this vulnerability allows for unauthenticated inclusion of arbitrary PHP files under the web root, with the executed PHP code running in the context of the web server. This could result in unauthorized access to confidential data, such as configuration files and secrets, through the included PHP files. Additionally, if an attacker can upload or control a PHP file in a writable directory, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, send a GET request to the 'plugin/API/get.json.php' file with the 'APIName' parameter set to 'locale' and the 'language' parameter set to a path traversal string that points to a PHP file outside the 'locale' directory, such as '../view/about.php'. The response will include the rendered About page HTML, confirming the file inclusion. For remote code execution, upload a PHP file, such as 'shell.php', to a writable directory and include it using the same method, replacing the 'language' parameter with the path to the uploaded file.

Remediation

To address this vulnerability, implement input validation to reject path separators and dots, and enforce a strict allowlist of locale slugs. Use 'realpath' to verify that the target file remains within the allowed directory. Consider removing the use of 'include' for loading translations, and instead use vetted data formats like JSON or arrays. Adding authentication, such as an API secret or token, to the endpoint can also help mitigate the risk.