CVE-2023-49738
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo dev master commit 15fed957fb
AVideo - https://github.com/WWBN/AVideo
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-73 - External Control of File Name or Path
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The view/img/image404Raw.php file is used to show an image when a 404 (Not Found) error is triggered.
The image to be shown is passed via the image GET parameter or via the whole REQUEST_URI [1]:
[1] $imageURL = !empty($_GET['image']) ? $_GET['image'] : $_SERVER["REQUEST_URI"];
[2] $rootDir = dirname(__FILE__) . '/../../';
if($imageURL == 'favicon.ico'){
$imgLocalFile = "{$rootDir}/videos/{$imageURL}";
}else{
$imgLocalFile = "{$rootDir}/{$imageURL}";
}
if (file_exists($imgLocalFile)) {
// Determine the content type based on the file extension
$fileExtension = strtolower(pathinfo($imgLocalFile, PATHINFO_EXTENSION));
switch ($fileExtension) {
case 'jpg':
case 'jpeg':
$type = 'image/jpeg';
break;
case 'png':
$type = 'image/png';
break;
case 'webp':
$type = 'image/webp';
break;
case 'gif':
$type = 'image/gif';
break;
default:
$type = 'image/jpeg'; // Default to jpg if the extension is not recognized
break;
}
// Serve the final image
header("HTTP/1.0 200 OK"); // The image exists, so it's not a 404
header('Content-Type: ' . $type);
header('Content-Length: ' . filesize($imgLocalFile));
[3] readfile($imgLocalFile);
exit;
}
The image parameter, fully under attacker control, is appended to $rootDir [2] and finally read and echoed at [3].
This allows an attacker to read any file in the webserver, which can lead to further privilege escalation.
In practice, this issue allows an attacker to read videos/configuration.php, which contains the salt used for various encryptions made by AVideo. Knowledge of the salt can be used to achieve administrator privileges as shown in TALOS-2023-1900.
Note that this issue is also exploitable by requesting view/img/image404.php, as that file includes the vulnerable image404Raw.php file.
This request retrieves videos/configuration.php:
curl -k 'https://localhost/view/img/image404Raw.php?image=videos/configuration.php'
Similarly for image404Raw.php:
curl -k 'https://localhost/view/img/image404.php?image=videos/configuration.php'
2023-12-14 - Vendor Disclosure
2023-12-15 - Vendor Patch Release
2024-01-10 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.