Hey Sub-7,

The FFMpegUI application is vulnerable to an OS command injection attack.
The issue is the use of "shell_exec()" with unsanitised user data in read_folder.php:

if (is_dir($_POST['file']))
{
    $source = $path.$_POST['file'];
    $destination = $media.$_POST['destiny_folder'].$_POST['file'];
    $cmd = "cp -R $source $destination";
    shell_exec($cmd);
}

This allows an attacker with access to the webinterface to execute arbitrary shell commands.
See the attached PoC for an example how to exploit this issue to get RCE.
You'll need to update the two addresses in it, and also setup a TCP listener on your attacker machine using for example nc -vlp 4444.

You could fix this issue by replacing lines 13 and 14 in read_folder.php with copy($source, $destination);, hence avoiding the need to call shell_exec() at all.

Kind regards

Marben

Thanks for the feedback.
You are right, this problem also exists in the form of data.

The security notice got somehow lost in the README after editing, I will adjust it again.