AVideo EncoderReceiveImage Local File Inclusion Vulnerability
AVideo is vulnerable to local file inclusion (LFI) via the EncoderReceiveImage endpoint, allowing authenticated uploaders to read sensitive server files by bypassing path traversal restrictions.
AVideo, a video sharing platform, is vulnerable to a local file inclusion vulnerability (CVE-2026-39369) in versions 26.0 and earlier. The vulnerability exists in the objects/aVideoEncoderReceiveImage.json.php endpoint, which is accessible to authenticated users with uploader privileges. By manipulating the downloadURL_gifimage parameter with a specially crafted URL containing path traversal sequences, an attacker can bypass input sanitization and force the application to read arbitrary files from the server's filesystem. The application then writes the content of the file into a GIF, making it accessible via a public media URL. This allows attackers to retrieve sensitive information such as configuration files, source code, and system credentials.
Attack Chain
- Attacker logs in to AVideo as an authenticated user with uploader privileges.
- Attacker crafts a malicious POST request to
objects/aVideoEncoderReceiveImage.json.phpwith thedownloadURL_gifimageparameter. - The
downloadURL_gifimageparameter contains a URL with path traversal sequences (e.g.,....//....//) targeting a sensitive file on the server (e.g.,/etc/passwd). - The application attempts to sanitize the URL using
str_replace('../', '', ...)but fails due to the overlapping traversal sequence. - The application resolves the manipulated URL, resulting in a read operation from the targeted file on the local filesystem using
url_get_contents()ortry_get_contents_from_local(). - The content of the targeted file is retrieved and written into a GIF image file on the server's disk.
- The attacker uses
objects/videos.json.php?showAll=1to recover the generated GIF URL fromvideosURL.gif.url. - The attacker accesses the GIF URL, retrieves the file content, and obtains sensitive information.
Impact
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the AVideo server. This can lead to the disclosure of sensitive information, including configuration files, source code, and system credentials, potentially leading to further compromise of the server and the AVideo platform. This impacts any AVideo instance running version 26.0 or earlier and puts all associated data at risk.
Recommendation
- Apply the recommended fixes from WWBN: Reject any remote image URL whose decoded path contains traversal markers.
- Apply the recommended fixes from WWBN: Do not allow attacker-controlled same-origin
/videos/...fetches to resolve into local file reads. - Apply the recommended fixes from WWBN: Constrain any local shortcut path handling with
realpath()and strict base-directory allowlists. - Apply the recommended fixes from WWBN: Validate GIF content before saving it into public media storage.
- Apply the recommended fixes from WWBN: Ensure invalid-image cleanup checks the correct destination path.
- Deploy the Sigma rule
Detect AVideo LFI Attemptto detect exploitation attempts against theaVideoEncoderReceiveImage.json.phpendpoint. - Monitor web server logs for HTTP requests to
/objects/aVideoEncoderReceiveImage.json.phpcontaining path traversal sequences in thedownloadURL_gifimageparameter.
Detection coverage 2
Detect AVideo LFI Attempt
highDetects attempts to exploit the local file inclusion vulnerability in AVideo's aVideoEncoderReceiveImage.json.php by identifying path traversal sequences in the downloadURL_gifimage parameter.
Detect AVideo LFI via videos.json.php access
mediumDetects access to videos.json.php with showAll=1 following a POST request to aVideoEncoderReceiveImage.json.php, indicative of LFI exploitation.
Detection queries are available on the platform. Get full rules →