AVideo, Directory Traversal Bypass (Critical)

Listen to this Post

The vulnerability exists because the path traversal fix in commit `2375eb5e0` only checks the URL path component (via parse_url($url, PHP_URL_PATH)) for `..` sequences. An attacker can place the traversal payload in the query string – e.g., `?a=/videos/../../etc/passwd` – which leaves the path component clean (/x). The fix does not inspect the full URL.
Downstream, `try_get_contents_from_local()` in `objects/functionsFile.php` calls `explode(‘/videos/’, $url)` on the entire URL including the query string. For a malicious URL like http://TARGET/x?a=/videos/../../etc/passwd`, `$parts

` becomes</code>../../../../etc/passwd<code>. This is concatenated with</code>{$global['systemRootPath']}videos/<code>, producing a path like</code>/var/www/html/videos/../../../../etc/passwd<code>, which PHP resolves to</code>/etc/passwd<code>.
The file content is then read via `file_get_contents()` and written to a video thumbnail path using</code>_file_put_contents()<code>. All four `downloadURL_` parameters (</code>downloadURL_image<code>,</code>downloadURL_gifimage<code>,</code>downloadURL_webpimage<code>,</code>downloadURL_spectrumimage<code>) are affected.
The `isValidURL()` function accepts the URL because `FILTER_VALIDATE_URL` allows `..` in query strings per RFC 3986. `isSSRFSafeURL()` returns early because the host matches</code>webSiteRootURL<code>. No further validation occurs.
An authenticated user with upload permission can read any file the web server has access to. Image files (PNG/JPEG/GIF) are permanently exfiltrated via the thumbnail URL; non-image files leak existence and size via the `jpgDestSize` response, with a race window before deletion.
<h2 style="color: blue;">dailycve form:</h2>
Platform: AVideo
Version: Before commit 2375eb5e0
Vulnerability: Directory traversal bypass
Severity: Critical
Date: 2026-04-14
<h2 style="color: blue;">Prediction: Patch already in commit >2375eb5e0</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Identify vulnerable endpoint
curl -X POST "https://target/objects/aVideoEncoderReceiveImage.json.php" \
-d "videos_id=123" \
-d "downloadURL_image=http://target/x?a=/videos/../../../../etc/passwd"
Check leaked file size from response (jpgDestSize)
Exfiltrate image files that pass validation
curl -s "https://target/videos/thumbnail.jpg"
Race condition for non-image files (e.g., config)
while true; do curl -s "https://target/videos/config.php.bak" && break; done

<h2 style="color: blue;">Exploit:</h2>
Authenticated POST to `aVideoEncoderReceiveImage.json.php` with `downloadURL_` parameter containing `?a=/videos/../..` traversal in query string. `explode('/videos/')` on full URL yields
../../../../etc/passwd. Path resolves outside `videos/` directory. Content written to video thumbnail, then read via video endpoint.
<h2 style="color: blue;">Protection from this CVE:</h2>
1. In
objects/aVideoEncoderReceiveImage.json.php:49, check full URL:if (strpos(urldecode($_REQUEST[$value]), ‘..’) !== false).
<h2 style="color: blue;">2. In
objects/functionsFile.php:229, add `realpath()` validation:</h2>

$realTryFile = realpath($tryFile);
$videosDir = realpath("{$global['systemRootPath']}videos/");
if ($realTryFile === false || strpos($realTryFile, $videosDir) !== 0) return false;

<h2 style="color: blue;">3. Restrict `file_get_contents()` to allowlisted paths only.</h2>
<h2 style="color: blue;">Impact:</h2>
- Arbitrary file read (any file web server can access)
- Full exfiltration of images (thumbnails)
- Leak of existence & size for non-image files
- Bypass of prior security fix (commit 2375eb5e0)
- Exposure of database credentials (
videos/configuration.php), system files (/etc/passwd`), and source code

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top