Executive Summary

CVE-2026-33038 is a vulnerability in WWBN AVideo versions 25.0 and below that allows an unauthenticated attacker to take over the application through the install/checkConfiguration.php endpoint.

This endpoint performs full application initialization—including database setup, admin account creation, and configuration file writing—based solely on unauthenticated POST input. The only protection is a check for the existence of the videos/configuration.php file.

If the deployment is uninitialized (i.e., the configuration file does not exist), a remote attacker can complete the installation process with attacker-controlled credentials and database settings, gaining full administrative access to the application.

The vulnerability also includes SQL injection risks due to unsanitized input parameters and lacks protections like CSRF tokens or access restrictions on the installer endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete application takeover by an unauthenticated remote attacker.

• The attacker can gain full administrative access, allowing them to read, modify, or delete all application data.
• The attacker can configure the application to use a malicious database under their control, enabling persistent backdoors and data exfiltration.
• Potential for remote code execution exists through administrative capabilities such as file uploads and plugin management.
• The application can be rendered inoperable, impacting availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the AVideo installation endpoint install/checkConfiguration.php is accessible on an uninitialized deployment, meaning the file videos/configuration.php does not exist.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a POST request to the /install/checkConfiguration.php endpoint and observe if it allows unauthenticated initialization or returns a response indicating installation can proceed.'}, {'type': 'paragraph', 'content': 'Example command using curl to test accessibility and response:'}, {'type': 'list_item', 'content': "curl -X POST http://your-avideo-domain/install/checkConfiguration.php -d 'some=test'"}, {'type': 'paragraph', 'content': 'If the response indicates the installer is active or allows configuration, the system is vulnerable if uninitialized.'}, {'type': 'paragraph', 'content': 'Additionally, checking for the existence of the configuration file can be done via:'}, {'type': 'list_item', 'content': 'ls -l /path/to/avideo/videos/configuration.php'}, {'type': 'paragraph', 'content': 'If this file does not exist, the deployment is uninitialized and vulnerable to takeover via the installer endpoint.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict access to the install directory, especially the install/checkConfiguration.php endpoint, by limiting it to localhost or blocking it via firewall rules.
• Add .htaccess protections in the install directory to deny external HTTP access and prevent directory listing.
• Ensure the deployment is initialized by creating the videos/configuration.php file or completing a secure installation.
• Upgrade AVideo to version 26.0 or later, which includes fixes such as CSRF protection, prepared statements to prevent SQL injection, and improved password hashing.
• If upgrading immediately is not possible, consider disabling or removing the install/checkConfiguration.php endpoint temporarily to prevent unauthorized access.

Useful 0 Not Useful 0