Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-33238 is a path traversal vulnerability in the WWBN AVideo platform affecting the listFiles.json.php endpoint. This endpoint accepts a POST parameter named 'path' and passes it directly to the PHP glob() function without validating or restricting it to a designated base directory."}, {'type': 'paragraph', 'content': 'An authenticated user with upload permissions (a low-privilege role) can supply arbitrary absolute paths to enumerate .mp4 files anywhere on the server filesystem, including directories outside the intended video upload directory.'}, {'type': 'paragraph', 'content': 'This allows the attacker to discover private or premium media files and reveals the full absolute filesystem paths, exposing sensitive directory structure information that could facilitate further attacks.'}] [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an authenticated uploader to traverse the entire server filesystem and enumerate .mp4 files outside the intended directories.

• Unauthorized disclosure of private or premium media files stored outside the web root.
• Exposure of full absolute filesystem paths, revealing sensitive server directory structure.
• Potential facilitation of further attacks due to leaked directory information.
• Increased risk because the vulnerability requires only low privileges (canUpload), which are commonly granted to many users.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to enumerate .mp4 files outside the intended upload directory using the vulnerable endpoint. Specifically, an authenticated user with upload permissions can send POST requests to the listFiles.json.php endpoint with the `path` parameter set to various directories to check if the server returns file listings outside the allowed base directory.

• Authenticate as a user with `canUpload` permission.
• Send a POST request to the endpoint with `path` set to the intended videos directory, for example: `path=/var/www/html/videos/`.
• Send a POST request with `path` set to directories outside the web root, such as `path=/var/private/premium-content/` or `path=/` to attempt to enumerate .mp4 files anywhere on the server.

If the server responds with JSON containing full absolute paths of .mp4 files outside the allowed directory, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should apply the patch that restricts file enumeration to an allowed base directory by validating and normalizing the user-supplied path before passing it to the glob() function.

• Use `realpath()` to resolve the absolute path of the user-supplied `path` parameter.
• Define an allowed base directory (e.g., the videos directory) and ensure the resolved path starts with this base path.
• If the path is invalid or outside the allowed base directory, respond with HTTP 403 Forbidden and an error message, then exit.

This approach prevents directory traversal by ensuring file listings are confined to the intended directory.

If you are using the WWBN AVideo platform, upgrade to version 26.0 or later where this fix is implemented.

Useful 0 Not Useful 0