WWBN AVideo Command Injection Vulnerability in Unauthenticated Server-Side Request Forgery

A command injection vulnerability has been identified in WWBN AVideo versions through 29.0, specifically in the 'plugin/Live/test.php' file. The issue arises from an incomplete fix for a previous server-side request forgery (SSRF) vulnerability. While the latest commit added proper sanitization for 'wget' commands, it neglected to address the same sanitization for 'file_get_contents' and 'curl' methods, leaving them vulnerable to exploitation. The URL validation regex used in the vulnerable version is also inadequate, as it accepts malformed URLs that can be used for malicious purposes.

Impact

Exploitation of this vulnerability allows for command injection via the 'wget' function, with the potential for remote code execution on the server where AVideo is hosted.

Reproduction

The vulnerability can be reproduced by sending a request to 'plugin/Live/test.php' with a crafted 'statsURL' parameter that exploits the unsanitized 'wget' command. This can be done by including shell metacharacters, such as semicolons or backticks, in the URL. The injected commands will be executed on the server, demonstrating the command injection flaw.

Remediation

Users are advised to update to AVideo version 29.0 or later, where this vulnerability has been patched. If the 'test.php' file must be retained in a production environment, it should be secured by requiring admin authentication, allowing only requests to pre-approved Live stats URLs, and blocking access to localhost and internal IP ranges.