WWBN AVideo Unauthenticated File Deletion Vulnerability via PHP Operator Precedence Bug in CLI Guard

A vulnerability exists in WWBN AVideo versions through 26.0 in the installation script 'install/deleteSystemdPrivate.php'. The issue arises from a PHP operator precedence error in the command-line access guard, which is meant to restrict the script to CLI use only. However, the guard condition '!php_sapi_name() === 'cli'' fails to evaluate correctly, allowing the script to be accessed via HTTP without authentication. When exploited, the script deletes files from the server's temporary directory and discloses the contents of that directory in the response.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files in the server's temporary directory, specifically those older than 24 hours. This could disrupt normal server operations by removing important files such as PHP session files, temporary upload files, cache files, or files used by other applications that share the same temporary directory. Additionally, the vulnerability leads to information disclosure, revealing internal server paths and details about the contents of the temporary directory, including file names and counts. The deletion of temporary files could also interfere with file uploads, session management, and other operations that rely on these files.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated HTTP GET request to the 'install/deleteSystemdPrivate.php' script. The response will include a message indicating the number of items found in the temporary directory, confirming the successful exploitation of the vulnerability. This can be automated with a curl command that simulates the HTTP request.

Remediation

To address this vulnerability, the operator precedence issue in the access guard should be fixed by changing the condition to 'php_sapi_name() !== 'cli''.