WWBN AVideo BulkEmbed Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the BulkEmbed plugin for WWBN AVideo, affecting versions through 25.0. The vulnerability arises because the plugin's save endpoint fetches user-provided thumbnail URLs using 'url_get_contents()' without proper SSRF protection. This oversight allows authenticated attackers to manipulate the server into making HTTP requests to internal network resources, potentially exfiltrating sensitive data. The issue has been addressed in version 26.0.

Impact

Exploitation of this vulnerability allows authenticated attackers to access internal network resources and cloud metadata endpoints, with the potential to exfiltrate sensitive information such as IAM credentials on AWS, GCP, or Azure. This could lead to unauthorized access to cloud services and data. Additionally, the vulnerability could be used to probe internal network services or databases via HTTP, creating further opportunities for data exfiltration or exploitation.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to use the BulkEmbed plugin can send a request to the 'plugin/BulkEmbed/save.json.php' endpoint. The request must include a user-controlled thumbnail URL that points to an internal resource, such as a cloud metadata service URL. Once the request is processed, the server will fetch the thumbnail content without any SSRF validation and save it to disk. The fetched data can then be accessed by retrieving the saved thumbnail image, which will contain the response from the internal resource.

Remediation

Users can update to WWBN AVideo version 26.0 or later, where this vulnerability has been fixed.