WWBN AVideo Path Traversal Vulnerability Allowing Unauthenticated Arbitrary Image Read

A path traversal vulnerability has been identified in WWBN AVideo versions 14.x and earlier. This issue allows unauthenticated remote attackers to read arbitrary image files from the server's disk, including private user-profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and images from sibling-app directories via path traversal. The vulnerability arises because the 'image' GET parameter is not properly sanitized, enabling access to files outside the intended directory.

Impact

Exploitation of this vulnerability leads to unauthorized access to private images, bypassing the application's access controls. It allows for reading images stored outside the AVideo installation directory, potentially accessing sensitive user data. The vulnerability also facilitates enumeration of private images by exploiting predictable file naming conventions.

Reproduction

To reproduce this vulnerability, send a GET request to 'view/img/image404Raw.php' with the 'image' parameter set to a path that includes '..' traversal to reach arbitrary image files. This can include private user photos or images from sibling application directories, depending on the server's file permissions.

Remediation

Users are advised to update to the latest version of WWBN AVideo, as this vulnerability has been patched in version 14.1 and later.