WWBN AVideo Local File Disclosure Vulnerability via GIF Poster Fetch Bypass

A local file disclosure vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in 'objects/aVideoEncoderReceiveImage.json.php', where an authenticated uploader can exploit the GIF poster storage path to access server-local files. The vulnerability allows bypassing traversal scrubbing to fetch attacker-controlled same-origin '/videos/...' URLs, potentially exposing sensitive files such as '/etc/passwd' or application source files through a public GIF media URL.

Impact

Exploitation of this vulnerability allows an authenticated uploader to read local files on the server and republish the contents via a public GIF media URL. This could include sensitive files like '/etc/passwd', application source code, or deployment-specific configuration files accessible to the application.

Reproduction

To reproduce this vulnerability, log in as an authenticated uploader and create a video. Then, send a POST request to 'objects/aVideoEncoderReceiveImage.json.php' with a crafted 'downloadURL_gifimage' parameter that includes traversal payloads to access local files, such as '/etc/passwd'. After the request is processed, the fetched file will be available through a generated public GIF URL, which can be accessed to retrieve the disclosed file contents.

Remediation

It is recommended to reject any remote image URLs that contain traversal markers, disallow attacker-controlled same-origin '/videos/...' fetches from resolving into local file reads, and validate GIF content before saving it to public media storage. Additionally, ensure that invalid-image cleanup checks the correct destination path.