<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Polyglot - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/polyglot/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/polyglot/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/</guid><description>AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is susceptible to remote code execution (RCE) in versions up to and including 26.0 due to a flaw in the <code>ImageGallery::saveFile()</code> method. This vulnerability, identified as CVE-2026-33647, arises from the inadequate validation of uploaded files. Specifically, the system uses <code>finfo</code> for MIME type detection but relies on the user-supplied filename extension without proper sanitization. An attacker can leverage this weakness by crafting a polyglot file, embedding malicious PHP code within a seemingly benign JPEG image, and naming it with a <code>.php</code> extension. This bypasses the MIME type check, causing the file to be saved as an executable PHP file within a web-accessible directory. The vulnerability was patched in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Successful exploitation grants the attacker the ability to execute arbitrary code on the AVideo server, leading to potential data breaches, system compromise, and service disruption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an AVideo instance running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a polyglot file. This file is a valid JPEG image with PHP code appended. The file is named with a <code>.php</code> extension (e.g., <code>evil.php</code>).</li>
<li>The attacker uses the AVideo web interface, specifically the image upload functionality within <code>ImageGallery::saveFile()</code>, to upload the malicious <code>evil.php</code> file.</li>
<li>The <code>ImageGallery::saveFile()</code> method uses <code>finfo</code> to check the MIME type of the uploaded file. Because the file starts with JPEG magic bytes, it passes the MIME type check.</li>
<li>Due to the missing allowlist on the filename extension, the file is saved with the attacker-controlled <code>.php</code> extension.</li>
<li>The file is saved in a web-accessible directory on the AVideo server.</li>
<li>The attacker sends an HTTP request to the uploaded PHP file (e.g., <code>https://avideo.example.com/uploads/evil.php</code>).</li>
<li>The web server executes the PHP code embedded within the <code>evil.php</code> file, granting the attacker remote code execution on the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33647 allows an attacker to execute arbitrary code on the AVideo server. This can lead to a full system compromise, including the ability to read and modify sensitive data, install malware, pivot to other systems on the network, and disrupt service availability. The impact depends on the privileges of the web server process. Given the nature of video platforms, successful attacks can also lead to defacement and distribution of malicious content.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit <code>345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae</code> to remediate CVE-2026-33647 immediately.</li>
<li>Implement strict allowlisting for file extensions in the <code>ImageGallery::saveFile()</code> method to prevent the upload of executable files.</li>
<li>Deploy the provided Sigma rule to detect potential attempts to exploit CVE-2026-33647 by monitoring for the execution of PHP files within the web server's upload directories.</li>
<li>Review webserver logs for suspicious requests to PHP files in upload directories for potential exploitation attempts (log source: webserver).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-33647</category><category>RCE</category><category>File Upload</category><category>AVideo</category><category>Polyglot</category></item></channel></rss>