WWBN AVideo Donation Webhook Blind SSRF Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 29.0. This issue allows an authenticated user to configure a donation notification webhook URL that points to internal or loopback addresses. When another user donates, the AVideo server sends a POST request to the specified URL, exploiting the lack of proper URL validation and redirect handling. The vulnerability could be used to access internal network resources or cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows authenticated users to access internal network resources from the AVideo server, including loopback services, RFC1918 hosts, and cloud metadata endpoints. The vulnerability also enables state-changing POST requests to internal endpoints, such as admin actions or webhook receivers that accept arbitrary POST bodies. While the blind nature of the SSRF limits direct data exfiltration, it does not prevent state-changing requests or the use of out-of-band channels for data exfiltration.

Reproduction

To reproduce this vulnerability, an authenticated user must first configure a webhook URL that points to an internal or loopback address. This can be done by sending a POST request to the 'plugin/YPTWallet/view/saveConfiguration.php' endpoint with the desired URL. Once the webhook is set, another user can donate a small amount through the 'plugin/CustomizeUser/donate.json.php' endpoint. This triggers the AVideo server to send a POST request to the webhook URL, demonstrating the SSRF vulnerability. The issue can also be reproduced by registering an external URL and using an HTTP 307 redirect to access internal resources, bypassing any potential URL validation.

Remediation

Users are advised to update to the patched version of AVideo, which includes a proper fix for this vulnerability. The latest version can be obtained from the official AVideo repository.