Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33647 is a vulnerability in the WWBN AVideo platform's ImageGallery plugin, affecting versions up to 26.0. The issue arises because the method that saves uploaded files validates the file's MIME type using PHP's finfo class but does not properly validate the file extension. Instead, it uses the extension from the user-supplied original filename without an allowlist check."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by uploading a polyglot file that starts with valid JPEG magic bytes but contains embedded PHP code and names the file with a .php extension. The MIME type check passes because it only looks at the file header, but the file is saved with the .php extension in a web-accessible directory. This allows the attacker to execute arbitrary PHP code remotely on the server.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with permission to manage videos to upload malicious files that execute arbitrary PHP code on the server. The impacts include:

• Remote Code Execution (RCE) on the web server.
• Reading sensitive files such as database credentials.
• Full database access.
• Reading, modifying, or deleting any files accessible to the web server.
• Lateral movement within the server network.
• Potential privilege escalation depending on server configuration.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying uploaded files in the videos/ImageGallery directories that have a .php extension but contain image MIME types such as image/jpeg. Since the vulnerability involves polyglot files that pass MIME checks but are saved with executable .php extensions, scanning for such files is key.'}, {'type': 'list_item', 'content': "Use find commands to locate .php files in the upload directories, for example: find /path/to/videos -type f -name '*.php'"}, {'type': 'list_item', 'content': 'Check the MIME type of suspicious .php files using the file command: file --mime-type filename.php'}, {'type': 'list_item', 'content': 'Look for files where the MIME type is an image type (e.g., image/jpeg) but the extension is .php, indicating a polyglot file.'}, {'type': 'list_item', 'content': 'Monitor web server logs for access to .php files in the videos/ImageGallery directories that may indicate exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing strict validation of file extensions on the server side and restricting PHP execution in upload directories.'}, {'type': 'list_item', 'content': "Implement an extension allowlist in the ImageGallery::saveFile() method to ensure only safe extensions matching allowed MIME types are accepted, for example: ['jpg', 'jpeg', 'webp', 'gif', 'png', 'mp4']."}, {'type': 'list_item', 'content': "Modify the file saving logic to derive the file extension from the MIME type detected by PHP's finfo class rather than trusting the user-supplied filename."}, {'type': 'list_item', 'content': 'Add a .htaccess file in the videos/ directory to disable PHP execution, for example: php_flag engine off and denying access to .php files.'}, {'type': 'list_item', 'content': 'Ensure that only authenticated users with proper permissions can upload files to the ImageGallery plugin.'}, {'type': 'list_item', 'content': 'Apply the patch referenced in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae which refactors the upload handling to address these issues.'}] [1, 2]

Useful 0 Not Useful 0