CVE-2026-33238 Overview
WWBN AVideo is an open source video platform that contains a path traversal vulnerability in the listFiles.json.php endpoint. Prior to version 26.0, the endpoint accepts a path POST parameter and passes it directly to the glob() function without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories.
Critical Impact
Authenticated attackers can enumerate sensitive video files and their absolute paths across the entire server filesystem, potentially exposing private or premium media content locations.
Affected Products
- WWBN AVideo versions prior to 26.0
- All installations using the vulnerable listFiles.json.php endpoint
Discovery Timeline
- 2026-03-21 - CVE-2026-33238 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33238
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the listFiles.json.php endpoint of WWBN AVideo. The vulnerable code directly accepts user-supplied input from the path POST parameter and passes it to PHP's glob() function without any validation or path restriction. This allows an authenticated user with uploader privileges to supply arbitrary absolute paths, bypassing the intended directory restrictions.
The attack enables enumeration of .mp4 files anywhere on the server filesystem. While this does not directly allow file content extraction, it reveals the existence and full absolute paths of video files stored outside the web-accessible directories — information that could be leveraged for further attacks or to identify high-value targets such as premium or private media content.
Root Cause
The root cause is insufficient input validation on the path parameter. The original implementation accepted any path value and appended it directly to the glob() call without verifying that the resolved path falls within an allowed base directory (such as the videos folder). The absence of path canonicalization and boundary checks enabled directory traversal sequences to escape the intended folder.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user with uploader privileges. The attacker sends a POST request to the listFiles.json.php endpoint with a malicious path parameter containing an arbitrary absolute filesystem path. The server responds with a list of matching .mp4 files, exposing their existence and full paths.
The following patch demonstrates the security fix implemented in version 26.0:
$listedFiles = []; // Array to keep track of files already listed
if (!empty($_POST['path'])) {
- $path = $_POST['path'];
- if (substr($path, -1) !== '/') {
- $path .= "/";
+ $allowedBase = realpath($global['systemRootPath'] . 'videos');
+ if ($allowedBase === false) {
+ echo json_encode([]);
+ exit;
}
+ $allowedBase .= '/';
+
+ $resolvedPath = realpath($_POST['path']);
+ if ($resolvedPath === false || strpos($resolvedPath . '/', $allowedBase) !== 0) {
+ http_response_code(403);
+ echo json_encode(['error' => 'Path not allowed']);
+ exit;
+ }
+ $path = $resolvedPath . '/';
if (file_exists($path)) {
$extn = implode(",*.", $global['allowed']);
Source: GitHub Commit Details
Detection Methods for CVE-2026-33238
Indicators of Compromise
- Unusual POST requests to /objects/listFiles.json.php containing absolute paths or path traversal sequences (e.g., ../, /etc/, /var/)
- Access logs showing multiple requests to listFiles.json.php with varying path parameters from the same user
- HTTP 200 responses from listFiles.json.php containing paths outside the expected videos directory
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in POST parameters
- Monitor application logs for requests to listFiles.json.php with suspicious path values containing absolute paths or traversal sequences
- Deploy file integrity monitoring on critical directories to detect unauthorized enumeration attempts
Monitoring Recommendations
- Enable detailed access logging for the AVideo application to capture all requests to sensitive endpoints
- Configure alerts for anomalous patterns such as repeated requests to listFiles.json.php with different path parameters
- Review uploader account activity for signs of reconnaissance or enumeration behavior
How to Mitigate CVE-2026-33238
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Review access logs for any historical exploitation attempts against the listFiles.json.php endpoint
- Audit user accounts with uploader privileges and revoke unnecessary access
Patch Information
WWBN has released version 26.0 which contains a comprehensive fix for this vulnerability. The patch implements proper path validation by:
- Resolving the allowed base directory using realpath() to establish a canonical path
- Resolving the user-supplied path and verifying it starts with the allowed base directory
- Returning HTTP 403 with an error message if the path validation fails
The security fix is available in commit 870cf24a7632d4f1a5d5549b59103c18f39e3a21. For detailed information, refer to the GitHub Security Advisory GHSA-4wmm-6qxj-fpj4.
Workarounds
- Restrict access to the listFiles.json.php endpoint at the web server level using IP whitelisting or additional authentication
- Implement a reverse proxy or WAF rule to block requests containing path traversal patterns in POST data
- Temporarily disable the file listing functionality by renaming or removing the listFiles.json.php file until patching is complete
# Example: Block access to vulnerable endpoint via Apache .htaccess
<Files "listFiles.json.php">
Order Deny,Allow
Deny from all
# Allow from trusted IPs only
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
