WWBN AVideo CloneSite Plugin Command Injection Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in the WWBN AVideo platform, specifically in versions 29.0 and below. The issue arises within the CloneSite plugin, where the `cloneServer.json.php` endpoint improperly sanitizes user-controlled input in the `url` parameter. This unsanitized input is directly appended to a `wget` command executed via `exec()`, creating a command injection vulnerability. An attacker can exploit this by injecting arbitrary shell commands, breaking out of the intended URL context with shell metacharacters, and executing them on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user. This could lead to a full compromise of the server, including unauthorized access to the database and user data, and potential escalation of privileges on the host.

Reproduction

To reproduce this vulnerability, first create a malicious site that can handle incoming requests and execute injected commands. Then, upload a payload that exploits the command injection vulnerability by injecting PHP code into the `cloneSiteURL` parameter. Finally, access the `plugin/CloneSite/cloneClient.json.php` endpoint to trigger the execution of the injected PHP code, which will be executed on the server.

Remediation

Users are advised to update to version 29.1 or later, where this vulnerability has been fixed.