WWBN AVideo Server-Side Request Forgery Vulnerability via HTTP Redirects

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises in two endpoints, 'plugin/AI/receiveAsync.json.php' and 'objects/EpgParser.php', which use the 'isSSRFSafeURL()' function to validate user-provided URLs. However, these endpoints then retrieve the URLs using 'file_get_contents()'' without disabling PHP's automatic redirect feature. This allows an attacker to redirect to internal metadata services, bypassing SSRF protections. Additionally, some calls to 'isSSRFSafeURL()' neglect to use a DNS pinning feature, leaving them open to DNS rebinding attacks.

Impact

Exploitation of this vulnerability allows authenticated attackers to make the AVideo server send HTTP requests to internal or cloud metadata addresses, potentially exfiltrating sensitive information such as IAM credentials. The vulnerability also enables access to internal services on localhost or private networks, which could include databases or admin panels. Furthermore, the AVideo server could be used to scan internal networks for open ports.

Reproduction

To reproduce the vulnerability, an attacker can upload an image through the AI plugin that includes a URL pointing to a server they control. This server should be set up to respond with a 302 redirect to an internal metadata address. Once the image is processed, the AVideo server will follow the redirect and access the internal metadata, bypassing the SSRF protections. This can be automated with a script that handles the redirect and URL validation.

Remediation

Users can update to the latest version of AVideo, where this vulnerability has been patched. Instructions for updating can be found in the AVideo documentation.