AVideo hat SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints

The SSRF vulnerability in wwbn/avideo arises from a discrepancy between the validation and execution phases of URL handling. The isSSRFSafeURL() function attempts to validate URLs against private/reserved IP ranges before fetching content. However, the urlgetcontents() function, which uses filegetcontents() with default redirect following enabled, does not re-validate the redirect target. An attacker can exploit this by crafting a request that redirects from a publicly accessible URL to an internal resource, effectively bypassing the initial validation check. This could lead to unauthorized access to sensitive internal data, services, or even the execution of commands on internal systems if those services are vulnerable. The blast radius depends on the internal services accessible via SSRF.

Organizations utilizing wwbn/avideo versions 26.0 and earlier, particularly those with exposed web applications or internal services accessible via HTTP, are at risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as an attacker could potentially exploit the SSRF vulnerability to access resources belonging to other users.

• php: Examine access logs for requests containing unusual redirects or targeting internal IP addresses. Use grep to search for patterns like Location: http://internal-ip/. • generic web: Use curl to test for redirect vulnerabilities: curl -v <target_url> | grep Location • generic web: Monitor response headers for unexpected redirects. Look for Location headers pointing to internal resources. • php: Review the objects/functions.php file for the vulnerable isSSRFSafeURL() and urlgetcontents() functions. Check for modifications that might bypass the validation logic.

1. 2026-03-26Disclosure

   disclosure

1. Reserviert2026-03-23
2. Veröffentlicht2026-03-26
3. Geändert2026-04-08
4. EPSS aktualisiert2026-04-04

Given that a direct patch is not yet available, several mitigation strategies can be employed. First, implement a Web Application Firewall (WAF) or reverse proxy to filter out requests containing suspicious redirects. Configure the WAF to block requests with excessive redirects or those targeting internal IP addresses. Secondly, disable HTTP redirects within the urlgetcontents() function if possible, or implement custom redirect validation logic. Finally, carefully review and restrict the permissions of the user account running the wwbn/avideo application to minimize the potential impact of a successful SSRF attack. After implementing these mitigations, verify their effectiveness by attempting to trigger the SSRF vulnerability with a controlled redirect.

Zuletzt aktualisiert

29.0kürzlich