WWBN AVideo Path Traversal Vulnerability in CloneSite Plugin Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in the WWBN AVideo platform, specifically in versions 29.0 and below. The issue arises in the CloneSite plugin's 'deleteDump' parameter, which fails to properly sanitize input before it is used to delete files. This oversight allows attackers to manipulate the parameter with '../' sequences to delete arbitrary files on the server via the 'unlink()' function. Exploitation of this vulnerability can lead to the deletion of critical application files, causing a denial-of-service condition or facilitating further attacks by removing essential security files.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. Deleting the 'configuration.php' file takes the site offline, while removal of '.htaccess' files can expose protected directories. Additionally, deletion of system files can disrupt other services.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the 'cloneServer.json.php' endpoint of the CloneSite plugin. The request must include a valid 'deleteDump' parameter value that contains path traversal sequences, such as '../../configuration.php', to target and delete specific files on the server.

Remediation

Users are advised to update to AVideo version 29.0 or later, where this vulnerability has been addressed. The fix involves implementing proper path validation and sanitization for the 'deleteDump' parameter to prevent path traversal attacks.