WWBN AVideo Server-Side Request Forgery Vulnerability in URL Handling

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises because the function 'isSSRFSafeURL()' correctly validates URLs against private and reserved IP ranges before fetching. However, the 'url_get_contents()' function follows HTTP redirects without re-validating the target URL. This flaw allows an attacker to bypass SSRF protections by redirecting from a public URL to an internal one. The vulnerability has been patched by disabling automatic HTTP redirects and manually handling them with proper validation.

Impact

Exploitation of this vulnerability allows access to cloud metadata services (such as AWS IMDSv1, GCP, and Azure) and internal network services, effectively bypassing the application's existing SSRF protections.

Reproduction

To reproduce this vulnerability, an attacker can set up a public URL that redirects to an internal IP address, such as the AWS metadata service. An authenticated user with the necessary permissions can then trigger an image download through the AVideo application, which will inadvertently follow the redirect and access the internal resource, thereby exploiting the SSRF vulnerability.

Remediation

Users can update to the latest version of WWBN AVideo, where this vulnerability has been addressed. Instructions for updating can be found in the AVideo documentation.