lKinderBueno Streamity Xtream IPTV Player Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in lKinderBueno Streamity Xtream IPTV Player versions through 2.8. The issue resides in the public/proxy.php file, where the application accepts a url parameter and validates it using filter_var with the FILTER_VALIDATE_URL option. However, this validation is insufficient, as it does not block private IP addresses or internal services. The vulnerability allows an attacker to manipulate the url parameter, forcing the server to make arbitrary HTTP requests to internal or external hosts, potentially accessing sensitive resources such as cloud metadata or internal admin interfaces.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to be made from the server to internal or external destinations. This could include accessing cloud metadata services, internal administration interfaces, or localhost applications, depending on the server's network configuration.

Reproduction

The vulnerability can be reproduced by sending a request to the public/proxy.php endpoint with a crafted url parameter. The server will then make a request to the specified URL, bypassing any necessary validations for private or internal addresses.

Remediation

Users are advised to upgrade to lKinderBueno Streamity Xtream IPTV Player version 2.8.1, which addresses this vulnerability.