WWBN AVideo Shell Metacharacter Injection Vulnerability in Live Streaming Plugin

A shell metacharacter injection vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises in the YPTSocket notification branch of the Live plugin, specifically in the 'on_publish.php' file. The vulnerability allows attackers to inject arbitrary commands by exploiting unescaped variables that are concatenated into a command line for execution. This flaw is particularly concerning as it enables pre-authentication remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution with the privileges of the web server user. This could lead to reading sensitive files such as database credentials, writing a web shell to a publicly accessible directory, or accessing other sensitive information through available plugin credentials.

Reproduction

To reproduce this vulnerability, an attacker must first authenticate and obtain a 'canStream' user account. They can then inject a single quote into the stream key, which is saved in the 'live_transmitions' table. After this, the attacker can send a POST request to 'on_publish.php' with the injected stream key. The vulnerability is triggered when the 'on_publish_socket_notification.php' script is executed, as the injected command is processed by the shell, leading to command execution.

Remediation

Users are advised to update to a version of WWBN AVideo that has addressed this vulnerability by properly escaping shell arguments. Additionally, 'on_publish.php' should be restricted to local access only, preventing public reachability.