logo

Database

Lack of data validation - Path Traversal In wwbn/avideo

Description

WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal

Summary

The incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink() of arbitrary files via ../../ sequences in the GET parameter.

Affected Package

    Ecosystem: Other

    Package: AVideo

    Affected versions: < commit 941decd6d19e

    Patched versions: >= commit 941decd6d19e

Details

At line 44-48 of cloneServer.json.php (pre-fix):

if (!empty($_GET['deleteDump'])) {
    $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}");
    $resp->msg = "Delete Dump {$_GET['deleteDump']}";
    die(json_encode($resp));
}

No basename(), no realpath() check, no path traversal filtering. $_GET['deleteDump'] is concatenated directly with $clonesDir.

The vulnerable code has zero protection against path traversal:

    No basename() to strip directory components

    No realpath() to validate the final path

    No check that resolved path is within $clonesDir

    No ../ sanitization

    Additionally, exec() calls with mysqldump pass credentials on the command line

PoC

"""
CVE-2026-33293 - AVideo CloneSite Path Traversal
"""

import sys
import os

VULN_SRC = os.path.join(os.path.dirname(__file__), "src", "cloneServer.json.php")...
python3 poc.py

Steps to reproduce:

    git clone https://github.com/WWBN/AVideo /tmp/AVideo_test

    cd /tmp/AVideo_test && git checkout 941decd6d19e2e694acb75e86317d10fbb560284~1

    python3 poc.py

Expected output:

VULNERABILITY CONFIRMED
The deleteDump parameter passes unsanitized path traversal sequences (../../) directly to unlink(), enabling arbitrary file deletion.

Impact

An attacker can delete arbitrary files on the server. Deleting configuration.php takes the site offline. Deleting .htaccess exposes protected directories. Deleting system files can affect other services.

Suggested Remediation

Use basename($_GET['deleteDump']) to strip directory components. Validate that realpath() of the final path is within $clonesDir. Validate file extension. Add authentication checks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-410582. NVD-2026-332933. NVD-2026-410584. OSV-2026-410585. GHSA-5879-4fmr-xwf26. GHSA-xmjm-86qv-g2267. GCVE-2026-41058

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf22. https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g2263. https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b24. https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.