WWBN AVideo Path Traversal Vulnerability in pluginRunDatabaseScript.json.php Allows Arbitrary SQL Execution

A path traversal vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'objects/pluginRunDatabaseScript.json.php' endpoint, which accepts a 'name' parameter via POST. This parameter is passed to 'Plugin::getDatabaseFileName()' without proper path traversal sanitization. As a result, an authenticated admin, or an attacker exploiting cross-site request forgery (CSRF), can traverse outside the plugin directory and execute the contents of any 'install/install.sql' file on the filesystem as raw SQL queries against the application database.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, potentially leading to unauthorized data manipulation, extraction of sensitive information, or even the creation of admin accounts. Additionally, the vulnerability could be exploited via CSRF, amplifying its impact by allowing an attacker to trick an admin into executing malicious SQL commands without direct access to their account.

Reproduction

To reproduce this vulnerability, an authenticated admin can send a POST request to the 'objects/pluginRunDatabaseScript.json.php' endpoint with a crafted 'name' parameter that includes path traversal sequences. This will bypass the insufficient sanitization and allow access to arbitrary 'install.sql' files from other plugins. Alternatively, an attacker can exploit the vulnerability via CSRF by tricking an admin into visiting a page that automatically submits a request to the vulnerable endpoint, including the malicious 'name' parameter.

Remediation

Users are advised to update to the patched version of WWBN AVideo, which includes the necessary sanitization and CSRF protection. The specific commit addressing this vulnerability is available on the WWBN AVideo GitHub repository.