GHSA-w5ff-2mjc-4phc: OS Command Injection in AVideo SocialMediaPublisher Plugin

The WWBN AVideo platform includes a plugin architecture to extend base functionality. The SocialMediaPublisher plugin, designed to syndicate video content to external platforms, contains a critical flaw in its file upload handling component. Specifically, the vulnerability resides within the plugin/SocialMediaPublisher/Objects/SocialUploader.php script.

The application is vulnerable to OS Command Injection (CWE-78) due to improper neutralization of special elements before passing them to an underlying operating system shell. The severity is constrained to a CVSS score of 5.9 (Moderate) primarily because the attack requires a high degree of complexity. Exploitation mandates that the attacker control or manipulate the HTTPS response from a trusted third-party API.

Despite the complex prerequisites, the vulnerability provides complete administrative control over the underlying operating system environment if successfully triggered. The application processes JSON responses from the LinkedIn API and interpolates the parsed URL directly into an OS command. This command is then executed via the PHP exec() function, inheriting the privileges of the web service.

The fundamental failure occurs during the processing of instructions returned by the LinkedIn media upload endpoint. The initializeLinkedInUploadSession() method requests an upload URL and parses the JSON response using json_decode(). The resulting data structure is stored in the $responseArray variable without any validation of the contents.

The application extracts the uploadUrl value from this array and passes it as an argument to the uploadVideoToLinkedIn() static method, alongside a path to a temporary file. The application implicitly trusts the data returned by the API, operating under the flawed assumption that external service responses are inherently safe for command construction.

Inside uploadVideoToLinkedIn(), the application builds a shell command to execute the curl binary. The $uploadUrl and $filePath variables are concatenated directly into the command string. The complete absence of escapeshellarg() or similar input validation functions allows shell metacharacters embedded in the URL to alter the intended structure of the resulting command.

The vulnerable code path constructs a string intended for execution in a bash subshell. The application concatenates the provided variables directly into a template string without escaping quotes or shell operators. The resulting string is logged and immediately executed.

// Vulnerable Implementation (SocialUploader.php:713-720)
$shellCmd = 'curl -v -H "Content-Type:application/octet-stream" --upload-file "' .
    $filePath . '" "' .
    $uploadUrl . '" 2>&1';
 
_error_log("Upload Video Shell Command:\n" . $shellCmd);
exec($shellCmd, $o);

To remediate this issue, developers can implement minimal sanitization using native PHP functions. Wrapping the dynamic variables in escapeshellarg() ensures that the input is treated strictly as a string literal by the command interpreter, preventing the breakout mechanism.

// Option 1: Minimal Sanitization Patch
$shellCmd = 'curl -v -H "Content-Type:application/octet-stream" --upload-file ' .
    escapeshellarg($filePath) . ' ' .
    escapeshellarg($uploadUrl) . ' 2>&1';
exec($shellCmd, $o);

A more robust architectural fix eliminates the subshell environment entirely. By replacing the system call with PHP's native cURL extension (curl_init(), curl_setopt()), the application communicates directly with the network interface. This neutralizes the CWE-78 vulnerability class completely by removing the OS command execution context.

Exploiting this vulnerability requires the attacker to manipulate the data stream between the AVideo server and the LinkedIn API. The attacker must position themselves to supply a crafted JSON response to the initializeLinkedInUploadSession() function. This typically requires a Man-in-the-Middle (MITM) network position, a compromised OAuth application token, or upstream manipulation of the API endpoint.

The attacker crafts a JSON payload where the uploadUrl key contains shell metacharacters designed to break out of the double quotes in the vulnerable command string. The payload terminates the intended string, appends a semi-colon or double ampersand to begin a new command, and executes arbitrary shell instructions.

{
  "value": {
    "uploadInstructions": [
      {
        "uploadUrl": "https://example.com\" ; id > /tmp/pwned ; echo \"",
        "firstByte": 0,
        "lastByte": 1024
      }
    ]
  }
}

When the AVideo application processes this response, the string concatenation produces a modified command structure. The system executes curl, immediately followed by the injected id > /tmp/pwned command. The trailing echo statement absorbs the remaining double quote intended for the original curl command, ensuring the syntax remains valid and the payload executes cleanly.

Successful exploitation yields arbitrary remote code execution within the context of the underlying web service. The injected commands execute synchronously with the permissions of the service account operating the PHP process, typically www-data or nginx. This grants the attacker immediate operational control over the application environment.

The primary impact compromises both confidentiality and integrity at the application tier. The attacker gains read access to sensitive data stored on the filesystem, including source code, configuration files, and database connection strings. Write access allows the modification of application binaries or the installation of persistent backdoor mechanisms.

The specific CVSS 3.1 vector evaluates to CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N. The requirement for an attacker to manipulate external API traffic enforces the High Attack Complexity (AC:H) metric. Consequently, while the technical impact of the command injection is severe, the environmental prerequisites restrict widespread automated exploitation.

System administrators must prioritize patching AVideo instances running versions 10.4 through 25.0. Deploying a version beyond 25.0 or applying the specific vendor patch for the SocialMediaPublisher plugin eliminates the vulnerability. Organizations should review internal system logs for unexpected outbound connections or anomalous child processes spawned by the web service.

If immediate patching is technically unfeasible, administrators can manually modify the plugin/SocialMediaPublisher/Objects/SocialUploader.php file. Locating the uploadVideoToLinkedIn() function and replacing the exec() call with the native PHP cURL implementation provides an effective, permanent mitigation. Alternatively, wrapping the variables in escapeshellarg() serves as a temporary stopgap.

Developers must audit all instances of exec(), system(), and passthru() within the application codebase. Relying on external APIs to provide safe input for command construction constitutes an architectural anti-pattern. Applications should utilize native language libraries for network operations rather than delegating tasks to system binaries.