AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php

Root

Cause

In AVideo-Encoder prior to version 7.0, the file objects/getImage.php accepts a base64Url GET parameter. This value is Base64-decoded and then directly interpolated into a double-quoted ffmpeg shell command without any escaping of shell metacharacters. Although the application uses FILTER_VALIDATE_URL to validate the input, that only checks URL syntax and does not block shell metacharacters like backticks or $() command substitution sequences [1][3].

Exploitation

An unauthenticated attacker can send a crafted a URL such as https://target/objects/getImage.php?base64Url=$(malicious_command) (after Base64-decoding, the injected string becomes a shell substitution). Because the value is placed inside double quotes, the shell interprets the substitution and executes the enclosed command. The execution path uses shell_exec or nohup, allowing asynchronous command execution without any authentication requirement [1][3].

Impact

Successful exploitation grants the attacker arbitrary OS command execution on the server. This can lead to full server compromise, data exfiltration (configuration secrets, internal keys, credentials), and complete service disruption. The vulnerability is classified with a critical severity score [1][3].

Mitigation

The issue has been patched in AVideo-Encoder version 7.0 by applying strict shell argument escaping (e.g., escapeshellarg()) to all user-supplied values and avoiding double-quoted interpolation of untrusted input. For environments that cannot immediately update, workarounds include restricting access to objects/getImage.php at the web server/reverse proxy layer (IP allowlist, authentication, or disabling the endpoint) and applying WAF rules to block suspicious shell metacharacters [3].