KodBox Command Injection Vulnerability in FileThumb Plugin Allowing Remote Code Execution

A command injection vulnerability has been identified in the KodBox application, specifically in versions through 1.64, within the FileThumb plugin. The issue arises in the 'parseVideoInfo' function of 'VideoResize.class.php', where the 'ffmpegBin' argument can be manipulated to execute arbitrary commands on the server. This vulnerability can be exploited remotely by authenticated users with plugin configuration rights.

Impact

Exploitation of this vulnerability allows authenticated users with plugin configuration rights to execute arbitrary commands on the server where KodBox is hosted. The executed commands run with the same privileges as the web server user, potentially leading to a full server compromise.

Reproduction

To reproduce this vulnerability, log in as an administrator and upload a video file that will be processed by the FileThumb plugin's video preview feature. After uploading the file, inject a malicious 'ffmpegBin' value through the 'admin/plugin/setConfig' endpoint. This injected value can include arbitrary shell commands. Once the malicious 'ffmpegBin' value is set, clear the plugin's FFmpeg cache to ensure the new value is used. Finally, trigger the video preview, which will execute the injected command on the server.

Remediation

To address this vulnerability, remove the direct concatenation of the 'ffmpegBin' value into shell commands. Instead, use safe process execution methods that separate command arguments to prevent injection. Additionally, validate and whitelist 'ffmpegBin' configurations to reject unsafe values before they can be exploited.