WWBN AVideo Stored Server-Side Request Forgery Vulnerability in Live Restream Log Callback Flow

A stored server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the Live restream log callback flow, where an attacker can inject a malicious restreamer URL. This URL is then fetched server-side, allowing authenticated streamers with low privileges to make requests to internal HTTP services or loopback addresses. The vulnerability exists because the application does not properly validate the callback URL against trusted restreamer endpoints before storing it.

Impact

Exploitation of this vulnerability allows authenticated streamers to manipulate the AVideo server into sending HTTP requests to internal services or loopback addresses, potentially exposing sensitive information or access to internal-only resources. This could include local admin panels, internal APIs, cloud metadata services, or other confidential responses from the application host.

Reproduction

To reproduce this vulnerability, log in as a non-admin user with streaming permissions. Create a standard restream destination and initiate a live transmission to generate a history entry. Extract the 'tokenForAction' from the response and exchange it for a 'responseToken'. Then, store a loopback callback URL by sending a POST request to the 'add.json.php' endpoint with the 'restreamerURL' parameter set to the loopback URL. Finally, trigger the 'getRestream.json.php' endpoint to fetch the stored URL, which will return the response from the loopback service, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users are advised to validate the 'restreamerURL' against explicitly configured trusted endpoints at the time of storage, re-validate the URL before server-side fetching, and bind the 'responseToken' to the expected restream row and callback host. Additionally, apply SSRF validation to the initial destination of every server-side fetch and reject user-supplied callback hosts that do not match trusted configurations.