WWBN AVideo Directory Traversal Vulnerability in aVideoEncoderReceiveImage.json.php Allows Arbitrary File Read

A directory traversal vulnerability has been identified in WWBN AVideo versions 29.0 and below. The issue arises in the 'objects/aVideoEncoderReceiveImage.json.php' file, where the traversal fix only inspects the URL path component for '..' sequences. This oversight allows an authenticated user to craft a same-origin '/videos/...' URL in the query string that bypasses the security check. The downstream function 'try_get_contents_from_local()' then exploits this bypass to read arbitrary files from the server filesystem. The vulnerability was introduced in a previous version and persisted through the initial fix, allowing exploitation via the GIF download URL parameter.

Impact

Exploitation of this vulnerability enables authenticated users with upload permissions to read any file on the server that the web server process can access. This includes sensitive files like '/etc/passwd' and application source code, which can be republished through a public GIF media URL.

Reproduction

To reproduce this vulnerability, log in as an authenticated user with upload permissions. Create a video and send a POST request to 'objects/aVideoEncoderReceiveImage.json.php' with a crafted 'downloadURL_gifimage' parameter that includes a traversal payload in the query string, such as '/videos/../../etc/passwd'. The response will indicate that the file was successfully read and written to the video's thumbnail URL, where it can be downloaded and verified.

Remediation

The vulnerability has been patched in commit bd11c16ec894698e54e2cdae25026c61ad1ed441. Users should update to the latest version of WWBN AVideo.