AVideo Server-Side Request Forgery Vulnerability in Thumbnail Endpoints

A Server-Side Request Forgery (SSRF) vulnerability has been identified in AVideo versions prior to 8.0. The issue resides in the public thumbnail endpoints 'getImage.php' and 'getImageMP4.php', which accept a 'base64Url' GET parameter. These endpoints base64-decode the parameter and pass the resulting URL to 'ffmpeg' as an input source, without any authentication. The previous validation only ensured that the URL was syntactically correct and began with 'http://' or 'https://', which is inadequate. This allows attackers to send requests to internal network resources or cloud metadata endpoints, such as AWS instance metadata, potentially leading to the exposure of sensitive information. The vulnerability is blind, meaning the response is not directly returned to the attacker, but could be inferred through timing differences and error logs.

Impact

Exploitation of this vulnerability allows for blind SSRF, where the server can be made to access internal resources or cloud metadata endpoints, with the potential to infer results based on timing and error log responses.

Remediation

Users are advised to update to AVideo version 8.0 or later, where this vulnerability has been patched. For those unable to upgrade, the endpoints can be blocked at the web server or firewall level, restricting access to trusted IPs. On cloud hosts, using instance metadata service IMDSv2 can add an additional layer of protection.