AVideo Unauthenticated SSRF via webSiteRootURL Parameter – Standalone Deployment Risk

Vulnerability Class & Root Cause

This is a Server-Side Request Forgery (SSRF) vulnerability resulting from unsafe URL construction without input validation. The saveDVR.json.php endpoint accepts user-supplied URLs via the $_REQUEST['webSiteRootURL'] parameter and passes them directly to file_get_contents(). In standalone mode (where configuration.php does not exist), no fallback validation occurs. The vulnerability chain: attacker-controlled URL → no scheme/domain allowlisting → file_get_contents() executes the request with server credentials.

PoC Significance for Defenders

The disclosure is significant because it proves several critical weaknesses: (1) the endpoint requires no authentication, (2) no origin validation protects against cross-origin abuse, (3) no URL allowlisting restricts domains, and (4) no scheme restriction prevents file://, gopher://, or other dangerous protocols. The PoC demonstrates that an attacker can chain this to the verifyDVRTokenVerification.json.php endpoint, potentially bypassing token verification logic. Reliability is high—the vulnerability exists in any AVideo deployment with the Live plugin in standalone mode.

Detection Guidance

Log Indicators:

• HTTP requests to /plugin/Live/standAloneFiles/saveDVR.json.php with webSiteRootURL parameter containing unexpected domains or schemes (e.g., 127.0.0.1, 169.254.169.254, file://, gopher://)
• Repeated requests with varying webSiteRootURL values (reconnaissance behavior)
• POST/GET requests lacking expected headers (indicates automation/bots)
• Outbound connections initiated by the web server to private IP ranges or metadata services

Signature Pattern: saveDVR\.json\.php.*webSiteRootURL= followed by non-standard domains or schemes.

YARA Rule Concept:

rule AVideo_SSRF_Abuse { strings: $path = "saveDVR.json.php" $param = "webSiteRootURL" condition: $path and $param }

Mitigation Steps

1. Immediate Patch: Update AVideo to the patched version (if available; verify vendor timeline).
2. Input Validation: Implement strict allowlisting of webSiteRootURL—accept only http:// and https:// schemes, restrict to expected domain(s), block private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16).
3. Require Authentication: Add authentication checks to saveDVR.json.php and require valid session tokens.
4. Network Segmentation: Run AVideo in a restricted network zone; block outbound connections to private IP ranges and metadata services (169.254.169.254).
5. Disable Standalone Mode: If possible, deploy with full configuration.php to use the fallback $global['webSiteRootURL'].
6. WAF Rules: Deploy Web Application Firewall rules to reject requests with suspicious webSiteRootURL values.

Risk Assessment

Likelihood of Exploitation: High. The endpoint is unauthenticated and publicly accessible; no special privileges or user interaction required. Tooling to exploit SSRF is widely available.

Threat Actor Interest: High. SSRF in standalone deployments enables: (1) internal network scanning, (2) metadata service exploitation (AWS/Azure/GCP), (3) DNS rebinding attacks, (4) credential harvesting, (5) lateral movement. This is a common target for both ransomware operators and APT groups.

In-the-Wild Exploitation: Critical. Standalone DVR deployments are often internet-facing; the CVE is recent and likely already scanned by automated tools. Organizations should assume active exploitation attempts.