WWBN AVideo Unauthenticated Information Disclosure Vulnerability in git.json.php

A vulnerability exists in WWBN AVideo versions through 29.0, where the file git.json.php in the web root executes the command git log -1 and returns the output as JSON to any unauthenticated user. This information leak exposes the deployed commit hash, allowing version fingerprinting against known CVEs, as well as developer names, email addresses, and commit messages that may reference internal systems or security fixes. The file git.json.php is a standalone PHP script that lacks authentication and session validation, making it accessible to any network client.

Impact

Exploitation of this vulnerability allows any unauthenticated remote attacker to access sensitive information including the exact deployed version of AVideo, which can be cross-referenced with known CVEs to identify unpatched vulnerabilities. Additionally, developer email addresses are exposed, potentially leading to targeted phishing or social engineering attacks. The vulnerability also allows access to commit messages that may contain internal project details, references to security fixes, or infrastructure information.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated request to the git.json.php file in the web root. The response will include the output of the git log -1 command, formatted as JSON. This can be done using a tool like curl, followed by piping the response into a JSON formatting tool such as python3 -m json.tool.

Remediation

It is recommended to delete the git.json.php file entirely, as it serves no user-facing purpose and only exists as a development artifact. If version information is needed for administrators, it should be secured behind authentication.