AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

説明

Summary

The EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services.

Details

When a user adds or edits a video, the EPG link is stored via objects/videoAddNew.json.php:119:

$obj->setEpg_link($_POST['epg_link']);

The only validation applied is FILTER_VALIDATE_URL, which accepts URLs targeting internal addresses such as http://127.0.0.1, http://169.254.169.254, or http://10.0.0.1.

Later, when the EPG data is parsed, the stored URL is fetched server-side at objects/EpgParser.php:358:

$this->content = @\file_get_contents($this->url);

The file_get_contents() function follows redirects and supports multiple protocols including http://, https://, ftp://, and depending on PHP configuration, php:// and other stream wrappers.

The codebase contains an isSSRFSafeURL() function that validates URLs against internal network ranges, but this function is not invoked anywhere in the EPG link processing path.

Because the URL is stored in the database, every subsequent visit to the EPG page re-triggers the server-side request. This makes the SSRF persistent and repeatable without further attacker interaction.

Proof of Concept

  1. Authenticate as a user with upload permissions.

  2. Create or edit a video and set the EPG link to an internal target:

# Target the cloud metadata service
curl -b "PHPSESSID=USER_SESSION" \
  -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
  -d "title=Test+Video&epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  1. Trigger the EPG parser by visiting the video's EPG page, or wait for the next page load that processes EPG data:
curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?videos_id=VIDEO_ID"
  1. To scan internal ports, set the EPG link to various internal addresses:
# Scan an internal service
curl -b "PHPSESSID=USER_SESSION" \
  -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
  -d "title=Test+Video&epg_link=http://127.0.0.1:6379/"
  1. The server fetches the URL via file_get_contents(). Response differences (timing, error messages, or returned content via EPG display) reveal whether internal services are running.

Impact

An authenticated user with upload permissions can force the AVideo server to make HTTP requests to arbitrary internal and external targets. This enables scanning of internal networks, access to cloud instance metadata (potentially exposing IAM credentials on AWS/GCP/Azure), and interaction with internal services that are not intended to be externally accessible. The stored nature of this SSRF means it re-executes on every page visit, amplifying the impact.

  • CWE-918: Server-Side Request Forgery (SSRF)
  • Severity: Medium

Recommended Fix

Add an isSSRFSafeURL() check before the file_get_contents() call at objects/EpgParser.php:355:

if (function_exists('isSSRFSafeURL') && !isSSRFSafeURL($this->url)) {
    throw new \RuntimeException('URL blocked by SSRF protection');
}

This reuses the existing SSRF protection function that is already applied in other code paths.


Found by aisafe.io

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-04-01 21:08:40 UTC
更新
2026-04-02 11:32:35 UTC
GitHub レビュー済み
2026-04-01 21:08:40 UTC
NVD で公開
2026-03-31

EPSS Score

Score Percentile
0.03% 7.60%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:L)
一般ユーザー権限があれば足り、管理者(root 相当)は不要。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:N)
改ざん・なりすましによる信頼毀損は軽微か、想定されない。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • adrgs (reporter)
  • aisafe-bot (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer wwbn/avideo <= 26.0

References

cvelogic Threat Intelligence