WWBN AVideo Stored Server-Side Request Forgery Vulnerability in EPG Link Feature

A stored server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the Electronic Program Guide (EPG) link feature, where authenticated users with upload permissions can store arbitrary URLs. These URLs are fetched by the server during each EPG page visit. The vulnerability exists because the URL validation relies solely on PHP's FILTER_VALIDATE_URL, which can accept internal network addresses. Although AVideo includes a function to validate URLs and prevent SSRF, it is not utilized in this context, allowing for exploitation that could scan internal networks, access cloud metadata services, and interact with internal resources.

Impact

Exploitation of this vulnerability allows authenticated users with upload permissions to manipulate the AVideo server into making HTTP requests to internal or external targets. This could lead to unauthorized access of internal services, scanning of internal networks, and retrieval of sensitive cloud metadata, such as IAM credentials from AWS, GCP, or Azure. The stored nature of the vulnerability means it is re-executed with every EPG page visit, increasing its impact.

Reproduction

To reproduce this vulnerability, authenticate as a user with upload permissions. Create or edit a video, and set the EPG link to an internal target, such as a cloud metadata service URL. Once the EPG link is saved, visit the video's EPG page to trigger the EPG parser, which will fetch the stored URL server-side. This can be done using a curl command that includes the session cookie and targets the AVideo instance's EPG schedule plugin, referencing the video ID. The server's response can indicate whether the internal service is accessible.