WWBN AVideo Server-Side Request Forgery Vulnerability via IPv4-Mapped IPv6 Addresses

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'isSSRFSafeURL()' function, which can be bypassed using IPv4-mapped IPv6 addresses. The unauthenticated 'plugin/LiveLinks/proxy.php' endpoint relies on this function to validate URLs before fetching them with cURL. However, the IPv4-mapped IPv6 prefix passes all validation checks, allowing attackers to access cloud metadata services, internal networks, and localhost services.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to bypass SSRF protections and access internal services and metadata endpoints, potentially leading to unauthorized access to sensitive information and cloud credentials.

Reproduction

To reproduce this vulnerability, send a request to the 'plugin/LiveLinks/proxy.php' endpoint with a 'livelink' parameter containing a URL that includes an IPv4-mapped IPv6 address, such as '::ffff:169.254.169.254'. The request will bypass the 'isSSRFSafeURL()' validation and access the specified metadata or internal service.

Remediation

Users are advised to update to the patched version of AVideo, which normalizes IPv4-mapped IPv6 addresses and improves URL validation to block private and reserved IP ranges. The updated validation can be implemented by using PHP's built-in filter options to reject private and reserved addresses.