logo

Database

Lack of data validation - Path Traversal In wwbn/avideo

Description

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

Summary

objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path.

The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.

Details

The vulnerable chain was:

    objects/aVideoEncoderReceiveImage.json.php accepted attacker-controlled downloadURL_gifimage

    traversal scrubbing used str_replace('../', '', ...), which was bypassable with overlapping input such as ....//

    same-origin /videos/... URLs were accepted

    url_get_contents() and try_get_contents_from_local() resolved the request into a local filesystem read

    the fetched bytes were written into the GIF destination

    invalid GIF cleanup used the wrong variable, so the non-image payload remained on disk

This made the GIF poster path a local file disclosure primitive with public retrieval.

Proof of concept

    Log in as an uploader and create an owned video row through the normal encoder flow.

    Send:

POST /objects/aVideoEncoderReceiveImage.json.php
downloadURL_gifimage=https://localhost/videos/....//....//....//....//....//....//etc/passwd

    Query:

GET /objects/videos.json.php?showAll=1

    Recover the generated GIF URL from videosURL.gif.url.

    Download that GIF URL.

    Observe that the body matches the target local file, such as /etc/passwd, byte-for-byte.

Impact

An authenticated uploader can read server-local files and republish them through a public GIF media URL by supplying a crafted same-origin /videos/... path to downloadURL_gifimage. Because traversal scrubbing was bypassable and the fetched bytes were written to the GIF destination without effective invalid-image cleanup, successful exploitation allows disclosure of files such as /etc/passwd, readable application source code, or deployment-specific configuration accessible to the application.

Recommended fix

    Reject any remote image URL whose decoded path contains traversal markers

    Do not allow attacker-controlled same-origin /videos/... fetches to resolve into local file reads

    Constrain any local shortcut path handling with realpath() and strict base-directory allowlists

    Validate GIF content before saving it into public media storage

    Ensure invalid-image cleanup checks the correct destination path

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-393692. NVD-2026-393693. OSV-2026-393694. GHSA-f4f9-627c-jh335. GCVE-2026-39369

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh332. https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.