GHSA-WWPW-HRX8-79R5

Vulnerability from github – Published: 2026-04-01 21:06 – Updated: 2026-04-01 21:06
VLAI?
Summary
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
Details

Summary

The AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response.

Details

The faulty guard is at lines 2-4 of the script:

// install/deleteSystemdPrivate.php:2-4
if (!php_sapi_name() === 'cli') {
    die('Command Line only');
}

Due to PHP operator precedence, this expression is parsed as:

if ((!php_sapi_name()) === 'cli') {

Step-by-step evaluation when accessed via HTTP (Apache/nginx with mod_php or php-fpm):

  1. php_sapi_name() returns "apache2handler" (or "fpm-fcgi", etc.) - a non-empty string
  2. !php_sapi_name() applies logical NOT to a truthy string, yielding false
  3. false === 'cli' is a strict comparison between a boolean and a string, which is always false
  4. The if body (die()) is never entered

The correct code should be:

if (php_sapi_name() !== 'cli') {
    die('Command Line only');
}

After the bypassed guard, the script enumerates and deletes aged files from the system temp directory:

$glob = glob(sys_get_temp_dir() . "/*");
// ...
foreach ($glob as $file) {
    if (filemtime($file) < $one_day_ago) {
        unlink($file);  // Deletes the file
    }
}

The script also outputs the total number of items found and details about processed files, leaking information about the temp directory contents.

Confirmed on a live instance: an unauthenticated HTTP GET request returned HTTP 200 with the response body including "Found total of 91 items", confirming the guard bypass and information disclosure.

Proof of Concept

Step 1: Verify the endpoint is accessible without authentication:

curl -v "https://your-avideo-instance.com/install/deleteSystemdPrivate.php"

Expected response (HTTP 200):

Found total of 91 items
Processing /tmp/phpXXXXXX ...
Deleted: /tmp/old_session_file ...

If the guard were working correctly, the response would be:

Command Line only

Step 2: Demonstrate the PHP operator precedence bug locally:

<?php
// Simulates the bug
$sapi = 'apache2handler'; // non-CLI SAPI

// Buggy check (as written in deleteSystemdPrivate.php)
var_dump(!$sapi === 'cli');
// Output: bool(false) - guard never triggers

// Correct check
var_dump($sapi !== 'cli');
// Output: bool(true) - guard would trigger correctly
?>

Step 3: Monitor the effect by checking before and after:

# Check initial state
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 91 items"

# Wait and check again - files older than 24 hours will have been deleted
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 47 items" (fewer items after deletion)

Impact

An unauthenticated attacker can trigger deletion of files in the server's system temp directory by simply sending an HTTP request to this endpoint. The impact includes:

  • File deletion: Any files in the temp directory older than 24 hours are deleted. This can disrupt server operations by removing PHP session files, upload temp files, cache files, or files used by other applications sharing the same temp directory.
  • Information disclosure: The script's output reveals the full path of the temp directory and enumerates its contents, including file names and counts. This can expose internal server paths, session file names, and the presence of other applications.
  • Denial of service: Repeated requests can be used to continuously purge temp files, interfering with file uploads, session management, and other temp-dependent operations.

The root cause is a common PHP pitfall where the logical NOT operator (!) has higher precedence than strict comparison (===), causing the intended CLI-only guard to be completely ineffective.

  • CWE-284: Improper Access Control
  • Severity: Medium

Recommended Fix

Fix the operator precedence bug at install/deleteSystemdPrivate.php:2 by replacing the negation with the !== operator:

// install/deleteSystemdPrivate.php:2
// Before (broken - always evaluates to false):
if (!php_sapi_name() === 'cli') {

// After (correct):
if (php_sapi_name() !== 'cli') {

Found by aisafe.io

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:06:34Z",
    "nvd_published_at": "2026-03-31T21:16:32Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe AVideo installation script `install/deleteSystemdPrivate.php` contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition `!php_sapi_name() === \u0027cli\u0027` never evaluates to true due to how PHP resolves operator precedence. The `!` (logical NOT) operator binds more tightly than `===` (strict comparison), causing the expression to always evaluate to `false`, which means the `die()` statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response.\n\n## Details\n\nThe faulty guard is at lines 2-4 of the script:\n\n```php\n// install/deleteSystemdPrivate.php:2-4\nif (!php_sapi_name() === \u0027cli\u0027) {\n    die(\u0027Command Line only\u0027);\n}\n```\n\nDue to PHP operator precedence, this expression is parsed as:\n\n```php\nif ((!php_sapi_name()) === \u0027cli\u0027) {\n```\n\nStep-by-step evaluation when accessed via HTTP (Apache/nginx with mod_php or php-fpm):\n\n1. `php_sapi_name()` returns `\"apache2handler\"` (or `\"fpm-fcgi\"`, etc.) - a non-empty string\n2. `!php_sapi_name()` applies logical NOT to a truthy string, yielding `false`\n3. `false === \u0027cli\u0027` is a strict comparison between a boolean and a string, which is always `false`\n4. The `if` body (`die()`) is never entered\n\nThe correct code should be:\n\n```php\nif (php_sapi_name() !== \u0027cli\u0027) {\n    die(\u0027Command Line only\u0027);\n}\n```\n\nAfter the bypassed guard, the script enumerates and deletes aged files from the system temp directory:\n\n```php\n$glob = glob(sys_get_temp_dir() . \"/*\");\n// ...\nforeach ($glob as $file) {\n    if (filemtime($file) \u003c $one_day_ago) {\n        unlink($file);  // Deletes the file\n    }\n}\n```\n\nThe script also outputs the total number of items found and details about processed files, leaking information about the temp directory contents.\n\nConfirmed on a live instance: an unauthenticated HTTP GET request returned HTTP 200 with the response body including \"Found total of 91 items\", confirming the guard bypass and information disclosure.\n\n## Proof of Concept\n\n**Step 1:** Verify the endpoint is accessible without authentication:\n\n```bash\ncurl -v \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\"\n```\n\nExpected response (HTTP 200):\n\n```\nFound total of 91 items\nProcessing /tmp/phpXXXXXX ...\nDeleted: /tmp/old_session_file ...\n```\n\nIf the guard were working correctly, the response would be:\n\n```\nCommand Line only\n```\n\n**Step 2:** Demonstrate the PHP operator precedence bug locally:\n\n```php\n\u003c?php\n// Simulates the bug\n$sapi = \u0027apache2handler\u0027; // non-CLI SAPI\n\n// Buggy check (as written in deleteSystemdPrivate.php)\nvar_dump(!$sapi === \u0027cli\u0027);\n// Output: bool(false) - guard never triggers\n\n// Correct check\nvar_dump($sapi !== \u0027cli\u0027);\n// Output: bool(true) - guard would trigger correctly\n?\u003e\n```\n\n**Step 3:** Monitor the effect by checking before and after:\n\n```bash\n# Check initial state\ncurl -s \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\" | head -1\n# Output: \"Found total of 91 items\"\n\n# Wait and check again - files older than 24 hours will have been deleted\ncurl -s \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\" | head -1\n# Output: \"Found total of 47 items\" (fewer items after deletion)\n```\n\n## Impact\n\nAn unauthenticated attacker can trigger deletion of files in the server\u0027s system temp directory by simply sending an HTTP request to this endpoint. The impact includes:\n\n- **File deletion**: Any files in the temp directory older than 24 hours are deleted. This can disrupt server operations by removing PHP session files, upload temp files, cache files, or files used by other applications sharing the same temp directory.\n- **Information disclosure**: The script\u0027s output reveals the full path of the temp directory and enumerates its contents, including file names and counts. This can expose internal server paths, session file names, and the presence of other applications.\n- **Denial of service**: Repeated requests can be used to continuously purge temp files, interfering with file uploads, session management, and other temp-dependent operations.\n\nThe root cause is a common PHP pitfall where the logical NOT operator (`!`) has higher precedence than strict comparison (`===`), causing the intended CLI-only guard to be completely ineffective.\n\n- **CWE-284**: Improper Access Control\n- **Severity**: Medium\n\n## Recommended Fix\n\nFix the operator precedence bug at `install/deleteSystemdPrivate.php:2` by replacing the negation with the `!==` operator:\n\n```php\n// install/deleteSystemdPrivate.php:2\n// Before (broken - always evaluates to false):\nif (!php_sapi_name() === \u0027cli\u0027) {\n\n// After (correct):\nif (php_sapi_name() !== \u0027cli\u0027) {\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-wwpw-hrx8-79r5",
  "modified": "2026-04-01T21:06:34Z",
  "published": "2026-04-01T21:06:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/355e8c70806694b3bf8605d75e1bd1c695cd95e7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.