Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33351 is a critical Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo Live plugin, specifically in the file `plugin/Live/standAloneFiles/saveDVR.json.php` when deployed in standalone mode.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that the server fetches using `file_get_contents()` without any authentication, origin validation, or URL allowlisting."}, {'type': 'paragraph', 'content': 'This means an attacker can supply arbitrary URLs, including internal network addresses or cloud metadata endpoints, causing the server to make unauthorized requests on their behalf.'}, {'type': 'paragraph', 'content': 'Additionally, the attacker can bypass DVR token verification by hosting a malicious server that responds with a forged verification response, potentially influencing downstream processing and command execution.'}, {'type': 'paragraph', 'content': 'Although some input sanitization is applied, certain characters allowed in the verification key may enable further exploitation, including command execution in some environments.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several severe impacts:

• Attackers can perform SSRF attacks to scan and access internal network services and cloud metadata endpoints, potentially exposing sensitive infrastructure details.
• The DVR token verification can be bypassed, allowing attackers to manipulate downstream processes that rely on this verification.
• Potential command execution may be possible due to attacker control over file paths and shell commands, which could lead to further compromise of the server.
• Information disclosure can occur through error messages that leak internal URLs and response contents.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized server-side requests originating from the AVideo Live plugin, especially targeting internal network resources or cloud metadata endpoints.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the `webSiteRootURL` parameter in `plugin/Live/standAloneFiles/saveDVR.json.php`, you can look for HTTP POST requests to this endpoint containing this parameter.'}, {'type': 'paragraph', 'content': 'Network detection commands might include inspecting web server logs or using tools like tcpdump or Wireshark to identify outgoing requests to internal IP ranges or unusual external hosts triggered by the server.'}, {'type': 'list_item', 'content': "Use grep to find suspicious POST requests in web server logs: `grep 'saveDVR.json.php' /var/log/apache2/access.log | grep 'webSiteRootURL'`"}, {'type': 'list_item', 'content': 'Monitor outgoing HTTP requests from the server to internal IPs or metadata endpoints: `tcpdump -i eth0 dst net 169.254.169.254 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16`'}, {'type': 'list_item', 'content': 'Check for unexpected curl or wget commands in process lists or shell history that might indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for error messages leaking URLs or content fetched by the vulnerable script can help identify exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading to AVideo version 26.0 or later, which contains a patch addressing this vulnerability.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Remove the fallback to the user-controlled `webSiteRootURL` parameter entirely, requiring the `$streamerURL` to be set in the configuration file.'}, {'type': 'list_item', 'content': "If fallback is necessary, strictly validate the URL using PHP's `FILTER_VALIDATE_URL` and ensure the scheme is HTTP or HTTPS."}, {'type': 'list_item', 'content': 'Resolve the hostname and block private or reserved IP ranges to prevent SSRF to internal resources.'}, {'type': 'list_item', 'content': 'Apply `escapeshellarg()` to all variables used in `exec()` calls, including `$DVRFileTarget` and `$tmpDVRDir`, to prevent command injection.'}, {'type': 'list_item', 'content': 'Abort processing if `$streamerURL` is empty or invalid after validation.'}, {'type': 'paragraph', 'content': 'Also, monitor logs for suspicious activity and restrict network access from the server to sensitive internal endpoints where possible.'}] [2, 1]

Useful 0 Not Useful 0