Unauthenticated OS Command Injection in getImage.php via base64Url
Unauthenticated OS Command Injection in AVideo’s getImage.php exposes servers to remote takeover.
This critical flaw, tracked as CVE-2026-29058, lets attackers run any shell commands without login.​
AVideo Vulnerability
Attackers target the base64Url GET parameter in objects/getImage.php of AVideo version 6.0.
The app decodes this input as Base6,4, then plugs it straight into an ffmpeg shell command inside double quotes like ffmpeg -i "DECODED_INPUT" output.png.
No shell escaping means attackers inject commands via sequences like $(whoami) or ; cat /etc/passwd, which the shell executes blindly.
This skips any auth checks, making it zero-click over the network. CVSS v3.1 scores it 9.8/10 (AV:N/AC:L/PR:N/UI:N/S:U/C: H/:HA: H), hitting confidentiality, integrity, and availability hard.
| Attribute | Details |
|---|---|
| CVE | CVE-2026-29058 |
| Product | AVideo |
| Versions | 6.0 (patch >=7.0) |
| Severity | Critical 9.8/10 |
| Type | OS Command Injection |
| Exploit | Unauth remote RCE |
Root Cause
The code trusts inon base64Url, which only checks URL-like syntax.
It misses shell metacharacters: backticks, $()or ;. After decoding, input like ZWchoCBpZCA= (base64 for echo $(id)) becomes part of the ffmpeg string. The shell parses it as code, running the payload alongside ffmpeg.​
Affected files include objects/getImage.php, objects/security.php, and async helpers using shell_exec or nohup. Upstream flaws in YouPHPTube/YouPHPTube-Encoder echo this pattern.​
Full server compromise follows: steal config files (/etc/passwd, AWS keys), pivot to internals, or wipe services. Data exfiltration hits videos, user creds, or API secrets. No user interaction needed, craft a malicious URL and hit the endpoint.​
Detection Steps
- Scan requests for base64Url with shell patterns:Â
$(,Â\``,Â;`. - Monitor logs for odd ffmpeg spawns or command output in image responses.
- Test payload:Â
GET /objects/getImage.php?base64Url=ZWchoBALiZDAp&format=png—check ifÂuid=... leaks back.​
Mitigation Strategies
Upgrade to AVideo >=7.0, which adds escapeshellarg() to wrap user input safely. Example fix:
$safeUrl = escapeshellarg(base64_decode($_GET['base64Url']));
$cmd = "ffmpeg -i {$safeUrl} output.png"; // No direct interpolationAvoid shell strings altogether, and use proc_open with the args array. Block the endpoint via nginx (location /objects/getImage.php { deny all; }) or WAF rules flagging base64Url payloads. Said in GitHub.​
Site: https://cybersecuritypath.com
About the Author
