Intelligence
criticalVulnerabilityActive

Unauthenticated SSRF in AVideo Live Plugin Enables Internal Network Reconnaissance

AVideo's `plugin/Live/test.php` accepts unauthenticated user input to trigger outbound HTTP requests without validation, enabling attackers to probe internal networks, access cloud metadata endpoints, and potentially pivot to internal services.

S
Sebastion

CVE References

CVE-2026-33502

Affected

WWBN/AVideo

Vulnerability Analysis

Root Cause & Impact: The vulnerability stems from insufficient input validation on the statsURL parameter in test.php. The regex check /^http/ only confirms the protocol prefix but does not validate the target domain or implement SSRF-safe controls. The url_get_contents() function wraps file_get_contents() with no hostname allowlist, permitting requests to localhost, private RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and cloud metadata endpoints (169.254.169.254). When combined with unauthenticated access, this allows remote attackers to perform reconnaissance and exfiltrate sensitive data.

PoC Significance: The disclosed PoC demonstrates that the endpoint reliably returns error messages and response content, confirming service state and availability. By iterating through common internal ports (SSH, Redis, PostgreSQL, Kubernetes API, etc.), attackers can enumerate running services and potentially trigger information disclosure through verbose PHP warnings. The PoC validity is high—no authentication, CSRF tokens, or rate limiting appear to protect the endpoint.

Detection Guidance: Monitor web server logs for requests to /plugin/Live/test.php with statsURL parameters containing non-public addresses: patterns like 127.0.0.1, localhost, 192.168., 10., 172.1[6-9]., 169.254.169.254, or unusual ports. Enable PHP error logging to capture file_get_contents warnings. Look for repeated failed connection attempts (backoff patterns suggesting port scanning). YARA rule: detect HTTP requests with querystring containing statsURL=http://(127\.0\.0\.1|localhost|192\.168|10\.|172\.1[6-9]\.). WAF signatures should block requests where decoded statsURL target is non-routable.

Mitigation Steps:

  1. Immediate: Restrict access to /plugin/Live/test.php via network ACL or .htaccess until patching (whitelist only required clients).
  2. Patch: Apply vendor patch when available; implement strict hostname allowlist for statsURL (DNS rebinding protection).
  3. Configuration: Set allow_url_fopen = Off in php.ini if test.php functionality permits.
  4. Validation: Replace regex check with robust URL parsing (validate host against allowlist, block private IP ranges via ip2long() checks, reject localhost and metadata endpoints).
  5. Defense-in-depth: Implement egress firewall rules preventing the web server from reaching internal networks or metadata endpoints; disable outbound connectivity except to approved stats endpoints.

Risk Assessment: Likelihood of exploitation is very high due to zero authentication requirement and ease of discovery (plugin path is predictable). Threat actors routinely exploit SSRF to enumerate internal infrastructure, access Kubernetes dashboards, exfiltrate AWS credentials from metadata endpoints, and pivot to internal databases. Automated scanning tools (e.g., Shodan queries for AVideo instances) can identify vulnerable deployments. This is a high-value target for reconnaissance in supply-chain attacks and lateral movement campaigns.

Sources

pocssrfunauthenticatednetwork-reconnaissancemetadata-exfiltrationphp
Back to intelligence