WWBN AVideo Unauthenticated Remote Denial of Service Vulnerability
WWBN AVideo versions up to 26.0 are vulnerable to a denial-of-service attack where unauthenticated remote attackers can exhaust disk space by sending arbitrary POST data to a specific endpoint.
WWBN AVideo, an open-source video platform, is susceptible to a denial-of-service (DoS) vulnerability (CVE-2026-33483) in versions up to and including 26.0. The vulnerability lies in the aVideoEncoderChunk.json.php endpoint, a standalone PHP script lacking authentication, framework includes, and resource limits. An unauthenticated attacker can exploit this by sending arbitrary POST data to this endpoint, leading to the creation of persistent temporary files in the /tmp/ directory. The absence of size caps, rate limiting, and cleanup mechanisms allows attackers to rapidly exhaust disk space, causing a denial of service for the entire server. This vulnerability can be addressed by applying the patch included in commit 33d1bae6c731ef1682fcdc47b428313be073a5d1.
Attack Chain
- The attacker identifies a vulnerable AVideo instance running a version up to 26.0.
- The attacker crafts a malicious HTTP POST request containing arbitrary data.
- The attacker sends the crafted POST request to the
aVideoEncoderChunk.json.phpendpoint on the target server. - The AVideo server receives the request and, due to the lack of authentication, processes it without verification.
- The
aVideoEncoderChunk.json.phpscript writes the arbitrary POST data to a temporary file in the/tmp/directory. - The attacker repeats steps 2-5, sending a large number of POST requests to rapidly fill the
/tmp/directory. - The
/tmp/directory becomes full, preventing the server from writing other necessary temporary files. - The server experiences a denial of service due to the disk space exhaustion, impacting all services reliant on disk I/O.
Impact
Successful exploitation of this vulnerability leads to a denial-of-service condition affecting the entire AVideo server. This can result in the website becoming unavailable to users, disrupting video streaming services, and potentially impacting other applications reliant on the same server. Given the ease of exploitation, a single attacker could potentially bring down a vulnerable AVideo instance with minimal effort, leading to significant disruption of video services. The number of victims will depend on the prevalence of unpatched AVideo instances.
Recommendation
- Apply the patch from commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 to address the vulnerability in
aVideoEncoderChunk.json.php. - Deploy the Sigma rule
Detect AVideo Excessive TMP File Creationto monitor for suspicious activity in the/tmp/directory related to AVideo processes. - Implement rate limiting on the
aVideoEncoderChunk.json.phpendpoint to prevent attackers from overwhelming the server with requests. - Monitor web server logs for excessive POST requests to
aVideoEncoderChunk.json.phpand investigate any anomalies.
Detection coverage 2
Detect AVideo Excessive TMP File Creation
highDetects a large number of temporary files being created by the AVideo webserver process in the /tmp/ directory, indicating a potential denial-of-service attempt.
Detect AVideo POST Request to Chunk Endpoint
mediumDetects POST requests to the aVideoEncoderChunk.json.php endpoint which is vulnerable to DoS.
Detection queries are available on the platform. Get full rules →