WWBN AVideo Arbitrary File Read Vulnerability in view/update.php

An authenticated arbitrary file read vulnerability has been identified in WWBN AVideo versions 29.0 and earlier. The issue arises in view/update.php, where the script reads the updateFile parameter from the POST request as a relative path under the updatedb directory. This path is then passed to PHP's file() function for line-by-line execution during a database migration. An authenticated administrator could exploit this vulnerability to read arbitrary text files accessible to the web server process. This is particularly concerning on misconfigured deployments where sensitive files like /etc/passwd or .env are reachable relative to the AVideo directory.

Impact

Exploitation of this vulnerability allows authenticated administrators to read arbitrary text files from the server, potentially exposing sensitive information such as environment variables or application configuration details.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to view/update.php with the updateFile parameter set to a relative path that traverses to a sensitive file, such as /etc/passwd. The response will include the contents of the file, line by line, echoed in the migration-runner HTML output.