PT-2026-51433 · Packagist · Wwbn Avideo

Publicado

2026-06-22

·

Atualizado

2026-06-22

·

CVE-2026-33692

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Details

CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:
yaml
volumes:
 - "./:/var/www/html/AVideo"
This causes the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.

Exposed Information

An unauthenticated request to GET /.env returns:
DB MYSQL HOST=database
DB MYSQL USER=avideo
DB MYSQL PASSWORD=avideo
SYSTEM ADMIN PASSWORD=admin123
TLS CERTIFICATE FILE=/etc/apache2/ssl/localhost.crt
TLS CERTIFICATE KEY=/etc/apache2/ssl/localhost.key
NETWORK SUBNET=172.30.0.0/16

Steps to Reproduce

Prerequisites

  • AVideo deployed using the official docker-compose.yml
  • No modifications to the default configuration

Steps

  1. Deploy AVideo using docker compose up -d
  2. Send: curl http://target/.env
  3. The full .env file contents are returned, including database credentials and admin password

Impact

  • Attacker: Unauthenticated (any remote user)
  • Victim: AVideo server and database
  • Specific damage: Attacker obtains database credentials (DB MYSQL USER, DB MYSQL PASSWORD), admin password (SYSTEM ADMIN PASSWORD), and internal network topology (NETWORK SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Proposed Fix

Add a .htaccess rule to block access to dotfiles:
apache
# Block access to hidden files (.env, .git, etc.)
<FilesMatch "^.">
  Order Allow,Deny
  Deny from all
</FilesMatch>
Or configure Apache to deny dotfile access in the virtual host configuration.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2026-33692
GHSA-WF69-R4MX-43RR

Produtos afetados

Wwbn Avideo