WWBN AVideo Same-Domain SSRF Bypass Vulnerability in isSSRFSafeURL Function

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions 29.0 and below. The issue arises in the isSSRFSafeURL() function within objects/functions.php, where a same-domain check allows URLs with matching hostnames to bypass SSRF protections. This vulnerability is exploitable by using the site's public hostname with a non-standard port to access arbitrary internal services on the AVideo server. The response from these services is saved to a web-accessible directory, enabling full exfiltration of the data.

Impact

Exploitation of this vulnerability allows authenticated users with upload permissions to access internal services on the AVideo server via HTTP. This could include databases with HTTP interfaces, monitoring endpoints, admin panels, cloud metadata services (if the hostname resolves to a cloud instance), and other co-hosted services. The vulnerability also enables data exfiltration, as responses from the accessed internal services are written to a web-accessible directory, from which they can be retrieved.

Reproduction

To reproduce this vulnerability, authenticate as a user with upload permissions on an AVideo instance. Once authenticated, send a POST request to the objects/aVideoEncoder.json.php endpoint, including a downloadURL parameter that points to an internal service on a non-standard port. The isSSRFSafeURL() function will bypass the SSRF protections due to the same-domain hostname match. After the request is processed, the response from the internal service can be retrieved from the videos/cache/tmpFile/ directory, under the basename of the targeted URL.

Remediation

Users are advised to update to the patched version of AVideo, where this vulnerability has been addressed by modifying the isSSRFSafeURL() function to ensure that both the hostname and port match the webSiteRootURL.