PHP
CVE-2026-33238
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server - including locations outside the web root, such as private or premium media directories.
Details
The vulnerable code is at objects/listFiles.json.php:8-45:
if (!User::canUpload() || !empty($advancedCustom->doNotShowImportMP4Button)) {
return false;
}
$global['allowed'] = ['mp4'];
// ...
if (!empty($_POST['path'])) {
$path = $_POST['path'];
if (substr($path, -1) !== '/') {
$path .= "/";
}
if (file_exists($path)) {
$extn = implode(",*.", $global['allowed']);
$filesStr = "{*." . $extn . ",*." . strtolower($extn) . ",*." . strtoupper($extn) . "}";
$video_array = glob($path . $filesStr, GLOB_BRACE);
foreach ($video_array as $key => $value) {
$filePath = mb_convert_encoding($value, 'UTF-8');
// ...
$obj->path = $filePath; // Full absolute path returned to callerThe $_POST['path'] value is used directly in glob() with no call to realpath() for normalization and no prefix check against a permitted base directory (e.g., $global['systemRootPath'] . 'videos/'). The response includes obj->path containing the full absolute filesystem path of each matched file.
The extension filter ({*.mp4,*.mp4,*.MP4}) limits results to .mp4 files, which prevents reading credentials or source code but does not prevent enumeration of video files stored in access-controlled locations such as:
- Premium/paid content directories
- Private or unlisted media stores
- Backup directories containing
.mp4files - Paths revealing sensitive server directory structure
canUpload is a standard low-privilege role granted to any registered uploader; it does not imply administrative trust.
PoC
# Step 1: Authenticate as any user with canUpload permission
# (standard uploader account)
# Step 2: Enumerate MP4 files in the web root (expected behavior)
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
-d "path=/var/www/html/videos/"
# Returns: [{"id":0,"path":"/var/www/html/videos/video1.mp4","name":"video1.mp4"}, ...]
# Step 3: Traverse outside intended directory to private content store
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
-d "path=/var/private/premium-content/"
# Returns: [{"id":0,"path":"/var/private/premium-content/paywalled-video.mp4","name":"paywalled-video.mp4"}, ...]
# Step 4: Enumerate root filesystem for any MP4 files
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
-d "path=/"
# Returns all .mp4 files visible to the web server process anywhere on diskExpected behavior: Only files within the designated upload directory should be listable. Actual behavior: Files from any path readable by the web server process are returned with full absolute paths.
Impact
- Unauthorized media enumeration: An uploader can discover private, premium, or access-controlled
.mp4files stored outside their permitted directory. - Filesystem structure disclosure: Full absolute paths reveal server directory layout, aiding further attacks.
- Content bypass: In AVideo deployments where premium video files are stored in filesystem directories not protected by application access control, this exposes the filenames and paths needed to directly access them if other path traversal or direct-file-access weaknesses are present.
- Blast radius: Requires
canUploadpermission (low privilege), but this is the standard permission for all video uploaders on a multi-user AVideo instance.
Recommended Fix
Restrict the supplied path to an allowed base directory using realpath():
if (!empty($_POST['path'])) {
$allowedBase = realpath($global['systemRootPath'] . 'videos') . '/';
$path = realpath($_POST['path']);
// Reject paths that don't start with the allowed base
if ($path === false || strpos($path . '/', $allowedBase) !== 0) {
http_response_code(403);
echo json_encode(['error' => 'Path not allowed']);
exit;
}
$path .= '/';
// ... continue with glob
}realpath() resolves ../ sequences before the prefix check, preventing traversal bypasses.
AnalysisAI
The listFiles.json.php endpoint in AVideo accepts an unsanitized POST parameter path and passes it directly to PHP's glob() function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate .mp4 files anywhere on the server filesystem. An attacker with the standard canUpload permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as /var/private/premium-content/ and the root filesystem.
Technical ContextAI
The vulnerability is a classic path traversal flaw (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) occurring in the objects/listFiles.json.php endpoint of WWBN AVideo (CPE: pkg:composer/wwbn_avideo). The root cause is the absence of realpath() normalization and prefix validation before passing user-supplied $_POST['path'] to the glob() function at lines 8–45. While the application attempts to filter results by extension ({*.mp4,*.mp4,*.MP4}), this extension-based constraint does not prevent directory traversal; it only limits enumerable file types to .mp4 files. The canUpload permission required for exploitation is a low-privilege role granted to all registered video uploaders, making this accessible to any non-administrative user in a multi-user AVideo deployment. The response includes the full absolute filesystem path of each matched file in the JSON response field obj->path, leaking server directory structure information.
RemediationAI
Apply the vendor patch by consulting the GitHub advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4 and upgrading to the patched version as soon as it is released. The recommended code fix is to validate the $_POST['path'] parameter using realpath() and a prefix check against an allowed base directory (e.g., $global['systemRootPath'] . 'videos/'), rejecting any path that does not resolve within that boundary or that resolves to false. Until patching is possible, restrict access to the /objects/listFiles.json.php endpoint via web server configuration (e.g., Apache .htaccess or nginx location block) to trusted IP ranges or disable the endpoint entirely if not actively used. Additionally, verify that filesystem permissions restrict the web server process to necessary directories only; this will not prevent the enumeration but will limit the attacker's ability to enumerate sensitive filesystem locations beyond the intended scope.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4wmm-6qxj-fpj4