648540858 wvp-GB28181-pro Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in 648540858 wvp-GB28181-pro versions through 2.7.4-20260107. The issue resides in the ABLMediaNodeServerService component, specifically within the getDownloadFilePath function. This vulnerability allows an attacker with administrative access to inject a malicious IP address into the streamIp parameter of the Media Server configuration. When a user triggers a cloud record download, the application constructs an HTTP URL using the injected IP address and makes an unvalidated HTTP request. This exploitation can lead to scanning internal networks, accessing cloud metadata services (such as AWS IAM credentials), or probing internal services from the application server's perspective.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the application is tricked into making HTTP requests to internal services or cloud metadata endpoints. This could result in unauthorized access to sensitive information, such as IAM credentials in an AWS environment, or internal network services that are not exposed to the internet.

Reproduction

To reproduce this vulnerability, first inject a malicious IP address into the Media Server configuration via the '/api/media_server/save' endpoint. Once the IP address is stored, trigger the vulnerability by requesting a cloud record download through the '/api/cloud/record/download/zip' endpoint. The application will make an HTTP request to the injected IP address, exploiting the SSRF vulnerability.

Remediation

The vulnerability can be remediated by adding validation for the streamIp parameter to ensure it does not contain private IP addresses, cloud metadata service addresses, or localhost variants before being stored or used in HTTP requests. Additionally, implementing network segmentation to block internal IP requests could enhance security.