WWBN AVideo Remote Code Execution via Locale Save Path Traversal
WWBN AVideo is vulnerable to remote code execution due to a path traversal vulnerability in the `locale/save.php` endpoint, allowing an attacker to write arbitrary PHP files to any web-accessible directory via a maliciously crafted `flag` parameter, which can be exploited through CSRF.
WWBN AVideo, versions 29.0 and earlier, is susceptible to a critical remote code execution (RCE) vulnerability. The flaw resides in the locale/save.php endpoint, which lacks proper sanitization of the $_POST['flag'] parameter. This allows an attacker to inject path traversal sequences (e.g., ../) and write arbitrary PHP files to any directory on the server where the web user has write permissions. The vulnerability is further exacerbated by the absence of CSRF protection on the endpoint, coupled with the application's use of SameSite=None for session cookies. This allows for trivial CSRF exploitation, meaning an attacker can trigger the vulnerability simply by luring an authenticated administrator to visit a malicious webpage. Successful exploitation grants the attacker the ability to execute arbitrary PHP code, leading to full server compromise.
Attack Chain
- An attacker crafts a malicious HTTP POST request targeting the
/locale/save.phpendpoint. - The request includes a
flagparameter containing path traversal sequences (e.g.,../../webshell) and acodeparameter with PHP code designed to execute arbitrary commands. - The AVideo application concatenates the unsanitized
flagvalue with the base directory and.phpextension, resulting in a path like{systemRootPath}locale/../../webshell.php. - The application attempts to open the file at the constructed path for writing using
fopen(). Due to the path traversal, this escapes the intendedlocale/directory. - The content from the
codeparameter is written to the file usingfwrite(), creating a PHP webshell (e.g.,webshell.php) in a web-accessible directory, such as the web root. - The attacker accesses the created webshell via an HTTP GET request (e.g.,
https://target/webshell.php?c=id), passing a command to be executed as a parameter. - The webshell executes the attacker-supplied command using a function like
system()orexec(). - The attacker gains arbitrary code execution on the server, enabling them to read/modify files, access the database, and potentially escalate privileges.
Impact
Successful exploitation of this vulnerability allows for unauthenticated remote code execution, leading to full compromise of the AVideo server. An attacker can gain complete control of the affected system, potentially impacting all user data, system configurations, and any connected services. Given the nature of AVideo as a video platform, a successful attack could also lead to the compromise and distribution of sensitive video content. The lack of CSRF protection significantly widens the attack surface, as exploitation does not require direct access to an administrator's session.
Recommendation
- Implement the recommended fix in the advisory by sanitizing the
flagparameter usingbasename()to prevent path traversal, as described in the overview. - Implement CSRF protection by adding token validation to the
locale/save.phpendpoint and setting theSameSiteattribute toStrictorLaxfor session cookies. - Deploy the Sigma rule "AVideo Webshell Creation via Locale Save" to detect attempts to create PHP files with suspicious content in the web root, alerting on potential exploitation attempts.
- Monitor web server logs for POST requests to
/locale/save.phpwithflagparameters containing path traversal sequences (e.g.,../), using the provided IOCs to identify and block malicious requests. - Update AVideo to a patched version that addresses this vulnerability.
Detection coverage 2
AVideo Webshell Creation via Locale Save
criticalDetects the creation of PHP files containing system commands in web-accessible directories via the locale save endpoint, indicating potential exploitation of the path traversal vulnerability.
AVideo Locale Save Path Traversal Attempt
highDetects attempts to exploit the path traversal vulnerability in the AVideo locale save endpoint by identifying POST requests with malicious `flag` parameters.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | https://target/locale/save.php |
| url | https://target/webshell.php?c=id |