WWBN AVideo Remote Code Execution Vulnerability via Unvalidated File Downloads

A remote code execution vulnerability exists in WWBN AVideo versions 26.0 and prior. The issue arises in the 'downloadVideoFromDownloadURL()' function within 'objects/aVideoEncoder.json.php', where remote content is saved to a publicly accessible temporary directory. The vulnerability is exploited by sending an invalid 'resolution' parameter, which triggers an early termination of the function before the temporary file can be moved or deleted. This oversight leaves a PHP file, capable of execution, accessible under the web root at 'videos/cache/tmpFile/'.

Impact

Exploitation allows authenticated users with upload permissions to execute arbitrary PHP code on the server, leading to a full server compromise. This includes accessing and manipulating database credentials and user data, modifying or destroying video content, and using the server as a launch point for further attacks.

Reproduction

To reproduce this vulnerability, an authenticated user with upload permissions can send a POST request to 'objects/aVideoEncoder.json.php' with a 'downloadURL' parameter pointing to a PHP file hosted on an external server. The 'resolution' parameter should be set to an invalid value, which will cause the application to respond with an error while leaving the downloaded file accessible on the server.

Remediation

Users are advised to update to the patched version available in the GitHub repository. The latest version includes validation for the 'resolution' parameter and checks file extensions against an allowed list before downloading.