WWBN AVideo Scheduler Plugin SSRF Vulnerability via Unvalidated callbackURL

A server-side request forgery (SSRF) vulnerability has been identified in the Scheduler plugin of WWBN AVideo, an open-source video platform. This issue affects versions prior to 26.0. The vulnerability arises because the plugin's 'run()' function calls 'url_get_contents()' with a 'callbackURL' that is only validated for URL format. Unlike other AVideo endpoints that have been patched for similar SSRF issues, the Scheduler plugin does not perform adequate validation to block requests to private internal addresses or cloud metadata endpoints. As a result, an admin can configure a scheduled task to target internal network services or cloud metadata, potentially leading to unauthorized access to sensitive information or services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal services or cloud metadata endpoints. This could result in unauthorized access to internal APIs or retrieval of sensitive cloud metadata, such as IAM role credentials on AWS, which could be used for privilege escalation.

Reproduction

To reproduce this vulnerability, authenticate as an admin and create a scheduled task through the Scheduler plugin interface. Set the 'callbackURL' to an internal network address, such as a cloud metadata service endpoint. After the task is created, trigger its execution immediately via the 'Run now' option. Finally, check the scheduler execution logs, which will include the response from the metadata service, such as AWS IAM role credentials.

Remediation

Users should update to WWBN AVideo version 26.0 or later, where this vulnerability has been patched.