WWBN AVideo Unauthenticated Server-Side Request Forgery Vulnerability in Live Plugin

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue resides in the Live plugin's test.php file, where the server accepts HTTP requests to arbitrary URLs without proper validation. This vulnerability allows remote users to access internal services or cloud metadata endpoints by probing localhost or internal network resources.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to be sent from the AVideo server to external or internal URLs, potentially accessing sensitive internal resources or cloud metadata.

Reproduction

The vulnerability can be reproduced by sending a request to 'plugin/Live/test.php' with a 'statsURL' parameter that points to an internal service or localhost. The server's response will indicate whether the internal resource was successfully accessed, demonstrating the SSRF vulnerability.

Remediation

To address this vulnerability, remove 'plugin/Live/test.php' from production deployments. If the file must remain, require admin authentication, restrict requests to configured Live stats URLs, block access to localhost and private IP ranges, and prevent reflected responses from upstream errors or fetched content.