WWBN AVideo Server-Side Request Forgery Vulnerability in Live Plugin

A Server-Side Request Forgery (SSRF) vulnerability has been identified in WWBN AVideo versions prior to 26.0, specifically within the Live plugin when deployed in standalone mode. The vulnerability arises in the file 'plugin/Live/standAloneFiles/saveDVR.json.php', where the '$_REQUEST['webSiteRootURL']' parameter is used without validation to create a URL that is fetched server-side via 'file_get_contents()'. This lack of authentication, origin validation, and URL allowlisting allows attackers to manipulate the request and access internal resources or services.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network resources and cloud metadata endpoints. Additionally, it bypasses authentication mechanisms in the application, potentially leading to unauthorized actions or access to sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to 'plugin/Live/standAloneFiles/saveDVR.json.php' with an attacker-controlled 'webSiteRootURL' parameter. The server will use this URL to fetch data via 'file_get_contents()', effectively performing SSRF. This can be verified by directing the request to a service that responds with the server's metadata or internal information.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been patched.