WWBN AVideo Path Traversal Vulnerability in Locale Save Endpoint Allows Remote Code Execution

A path traversal vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises in the locale save endpoint (locale/save.php), where the file path is constructed by directly appending the 'flag' parameter from the POST request into the path without proper sanitization. This allows an admin attacker, or any user who can cross-site request forgery (CSRF) an admin, to escape the locale directory and write arbitrary PHP files to any writable location on the filesystem, leading to remote code execution. The vulnerability is amplified by the absence of CSRF token validation, as AVideo's session cookies are set to 'SameSite=None', enabling cross-site POST requests to include the admin's session cookie.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user. This could lead to a full server compromise, including unauthorized access to the database and user data, and potential escalation of privileges on the host.

Reproduction

To reproduce this vulnerability, an authenticated admin user can send a POST request to the 'locale/save.php' endpoint with a crafted 'flag' parameter that includes directory traversal sequences, such as '../../', and a 'code' parameter containing the PHP code to be executed. The absence of CSRF token validation allows this request to be made without admin privileges, by tricking an admin into visiting a malicious page that submits the form automatically.

Remediation

Users are advised to update to the patched version of WWBN AVideo, which includes validation of the 'flag' parameter to prevent path traversal, as well as CSRF protection. Instructions for updating can be found in the AVideo repository.