WWBN AVideo Remote Code Execution Vulnerability via Insecure File Upload in ImageGallery Plugin

A remote code execution vulnerability exists in WWBN AVideo versions through 26.0, within the ImageGallery plugin. The issue arises in the saveFile() method, where uploaded files are validated using MIME type detection. However, the method improperly derives the filename extension from the user-supplied original filename without an allowlist check. This flaw allows an attacker to upload a polyglot file containing valid JPEG magic bytes followed by PHP code, with a .php extension. While the MIME type check is passed, the file is saved as an executable .php file in a web-accessible directory, enabling remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users with permission to manage videos to execute arbitrary code on the server, with the same privileges as the web server user. This could lead to unauthorized access to sensitive files, such as database credentials, and allow for database manipulation or deletion of files accessible to the web server. Additionally, this could facilitate lateral movement within the server's network or privilege escalation, depending on the server's configuration.

Reproduction

To reproduce this vulnerability, an authenticated AVideo user account is required, along with ownership of at least one video in the ImageGallery plugin. First, create a polyglot PHP file that includes valid JPEG magic bytes followed by PHP code, and save it with a .php extension. Ensure that the file is recognized as image/jpeg by the MIME type detection. Then, upload the file through the ImageGallery plugin's upload endpoint, using the session cookie for authentication. Once uploaded, the file will be saved as a .php file in a directory accessible via the web server. The uploaded file can then be accessed and executed, triggering the PHP code.

Remediation

Users are advised to update to the patched version of AVideo, which includes a fix for this vulnerability. The recommended fix involves adding an extension allowlist check in the saveFile() method of the ImageGallery plugin, immediately after extracting the file extension from the user-supplied filename. The extension should be validated against the same set of types as the MIME allowlist. Additionally, as a defense-in-depth measure, users should add a .htaccess file to the videos directory to disable PHP execution.