Executive Summary

CVE-2026-33293 is a vulnerability in the WWBN AVideo open source video platform affecting versions prior to 26.0. It arises because the `deleteDump` parameter in the `plugin/CloneSite/cloneServer.json.php` script is passed directly to the PHP `unlink()` function without any path sanitization or validation.

An attacker with valid clone credentials can exploit this by using path traversal sequences (like `../../`) in the `deleteDump` parameter to delete arbitrary files on the server. This includes critical files such as `configuration.php`, which can cause the entire application to fail or enable further attacks by removing security-critical files.

The vulnerability exists because the application concatenates the user-supplied `deleteDump` value directly to the clones directory path without normalization or sanitization, allowing escape from the intended directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Arbitrary file deletion: An attacker can delete any file accessible by the web server, including source code, configuration files, uploaded media, and database dumps.
• Complete denial of service: Deleting critical files like `configuration.php` can break the entire AVideo application, causing fatal errors on every page load.
• Security control bypass: Deleting access control files such as `.htaccess` can expose protected resources.
• Data loss: Uploaded videos, photos, and backups stored on the server can be destroyed.
• Potential escalation: Removing security-critical files may weaken defenses and enable further attacks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual HTTP requests to the `plugin/CloneSite/cloneServer.json.php` endpoint that include the `deleteDump` parameter with path traversal sequences such as `../../`.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending crafted HTTP requests with path traversal payloads in the `deleteDump` parameter to check if arbitrary files like `configuration.php` can be deleted.'}, {'type': 'list_item', 'content': 'Verify the target file exists by sending a request and checking for HTTP 200, 302, or 403 status codes.'}, {'type': 'list_item', 'content': 'Send a crafted request with a path traversal payload in `deleteDump`, for example: `../../videos/configuration.php`.'}, {'type': 'list_item', 'content': 'Check the server response for `"error": false` indicating successful deletion.'}, {'type': 'list_item', 'content': 'Confirm deletion by requesting the file again and expecting HTTP 404 or 500 errors.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability (replace URL and credentials accordingly):'}, {'type': 'list_item', 'content': 'curl -i "https://targetsite/plugin/CloneSite/cloneServer.json.php?deleteDump=../../videos/configuration.php" -H "Authorization: Bearer <valid_clone_token>"'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch that sanitizes the `deleteDump` parameter to prevent path traversal attacks.

The patch involves:

• Using `basename()` on the `deleteDump` parameter to strip directory traversal components.
• Constructing the full file path by concatenating the sanitized filename with the clones directory.
• Validating the resolved real path of the target file to ensure it is within the allowed clones directory using `realpath()` and string comparison.
• Rejecting any requests where the file path validation fails with an error message and terminating the operation.

Additionally, ensure that only trusted users have valid clone credentials, as the vulnerability requires valid clone authentication.

Upgrading to version 26.0 or later of WWBN AVideo, where this issue is fixed, is strongly recommended.

Useful 0 Not Useful 0