WWBN AVideo Unauthenticated Live Stream Control via Token Verification URL Override

A vulnerability in WWBN AVideo versions through 26.0 allows unauthenticated control of live streams by exploiting a token verification bypass. The issue arises in the standalone live stream control endpoint 'plugin/Live/standAloneFiles/control.json.php', where the 'streamerURL' parameter can be manipulated to redirect token verification requests to an attacker-controlled server. This server can be made to respond in a way that bypasses authentication, granting unauthorized access to live stream controls such as dropping publishers, starting or stopping recordings, and checking the existence of streams. The vulnerability also introduces a server-side request forgery (SSRF) risk, as the application makes outbound HTTP requests to the specified 'streamerURL' without proper validation.

Impact

Exploitation of this vulnerability allows for unauthenticated control over live streams, including the ability to terminate active broadcasts, start unauthorized recordings, and probe for valid stream names. Additionally, the vulnerability could be used to scan internal services or exfiltrate data via the SSRF component.

Reproduction

To reproduce this vulnerability, first set up a server that will return a JSON response of {'error': false} for all requests. Then, send a request to the vulnerable endpoint 'control.json.php' with a token, command (such as 'drop_publisher' or 'record_start'), and the 'streamerURL' parameter pointing to the attacker-controlled server. The response will indicate that the command was executed successfully, demonstrating the bypassed authentication and unauthorized control over the live stream.

Remediation

Users are advised to update to version 28.0 or later, where this vulnerability has been addressed.