Listen to this Post
The vulnerability resides in the `listFiles.json.php` endpoint of WWBN AVideo versions prior to 26.0. An authenticated user with uploader privileges can supply a `path` POST parameter that is passed directly to PHP’s `glob()` function. No validation or sanitization is performed to confine the path to an allowed base directory, and no restriction prevents the use of absolute paths or directory traversal sequences. By providing an arbitrary absolute path (e.g., /etc/, /var/www/private/, or /home/), the attacker forces the application to enumerate all `.mp4` files in that directory and return their full absolute filesystem paths. This effectively allows an attacker to map the entire server filesystem for `.mp4` files, including sensitive locations outside the web root (e.g., private media, configuration directories, or other user data). The leak of absolute paths can be leveraged for further attacks, such as identifying the location of premium content or building a knowledge base for subsequent exploitation. The root cause is the lack of a path‑prefix check before invoking glob(), combined with unsanitized user input. The issue was fixed in version 26.0 by enforcing a base directory constraint and validating the supplied path.
dailycve form:
Platform: WWBN AVideo
Version: before 26.0
Vulnerability: Path traversal via glob()
Severity: Medium
date: March 20, 2026
Prediction: Already patched (26.0)
What Undercode Say:
Analytics
Check if endpoint is vulnerable (authenticated session required) curl -X POST "https://target.com/objects/listFiles.json.php" \ -H "Cookie: PHPSESSID=your_session" \ -d "path=/etc" Enumerate .mp4 files outside web root curl -X POST "https://target.com/objects/listFiles.json.php" \ -H "Cookie: PHPSESSID=your_session" \ -d "path=/var/www/private" Use traversal to explore deeper curl -X POST "https://target.com/objects/listFiles.json.php" \ -H "Cookie: PHPSESSID=your_session" \ -d "path=../../../../home"
Exploit:
Authenticated attacker sends crafted POST requests to `listFiles.json.php` with a `path` parameter containing absolute paths or traversal sequences, receiving a JSON list of `.mp4` files and their absolute paths from the server filesystem.
Protection from this CVE
- Upgrade to WWBN AVideo version 26.0 or later.
- If upgrade is not immediately possible, apply the patch that restricts `path` to a configured base directory and validates input.
- Implement web application firewall (WAF) rules to block requests containing `path=` with absolute paths or `..` sequences.
- Restrict access to `listFiles.json.php` to only trusted roles and consider disabling the endpoint if not required.
Impact
An authenticated uploader can enumerate `.mp4` files anywhere on the server, exposing the location of private media, configuration files, and other sensitive data. This information leakage can aid in further attacks, such as direct file access, privilege escalation, or unauthorized retrieval of premium content. The CVSS score is estimated as Medium (5.5) due to the requirement of authentication and the information disclosure nature.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

