GHSA-3mjv-375j-6h92

Summary

view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially valuable on misconfigured deployments where /etc/passwd, .env, or other sibling-app configs are reachable relative to the AVideo directory.

Details

view/update.php, lines 134-145 (excerpt):

if (!empty($_POST['updateFile'])) { $dir = Video::getStoragePath() . "cache"; rrmdir($dir); /* …unrelated cache-clear… */

if (file_exists($logfile . "log")) {
    unlink($logfile . "log");
    // ...
}
$lines = file("{$global['systemRootPath']}updatedb/{$_POST['updateFile']}");

The User::isAdmin() and adminSecurityCheck(true) guards at lines 12-15 enforce admin auth, but $_POST['updateFile'] is concatenated into a path without any sanitization. file() returns the file's contents as an array of lines; the script subsequently iterates them and echoes the SQL it would run.

PoC

POST /view/update.php Content-Type: application/x-www-form-urlencoded

updateFile=../../../../etc/passwd Result: the script attempts to load /etc/passwd (relative to {systemRootPath}updatedb/), echoing each line in the migration-runner HTML output. $_POST['updateFile'] traversal accepted, no extension guard, no in-array whitelist.

Attempting ../../../../proc/self/environ similarly reveals web-server environment variables on Linux.

Impact

Verified on the current master branch of WWBN/AVideo (commit bc0340662…). Likely affected: every release where view/update.php contains the $_POST['updateFile'] consumer — pattern predates 2024.