CVE-2026-33690

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

## Summary The `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. ## Vulnerable Code File: `objects/functions.php` ```php $headers = [ 'HTTP_X_REAL_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR' ]; foreach ($headers as $header) { if (!empty($_SERVER[$header])) { $ips = explode(',', $_SERVER[$header]); foreach ($ips as $ipCandidate) { $ipCandidate = trim($ipCandidate); if (filter_var($ipCandidate, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { return $ipCandidate; } } } } ``` ## Attack Scenario 1. Attacker sends request with forged header: ``` X-Client-IP: 127.0.0.1 ``` or ``` X-Real-IP: 192.168.1.1 ``` 2. `getRealIpAddr()` returns the forged IP 3. Any IP-based rate limiting, access control, or audit log that relies on this function is bypassed ## Proof of Concept ```bash curl -H "X-Client-IP: 127.0.0.1" \ https://target.com/any_endpoint.php ``` The server now believes the request came from localhost. ## Impact - Bypass IP-based rate limiting - Bypass IP-based access controls - Forge audit log entries - Potential privilege escalation if localhost is trusted

## Summary The `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. ## Vulnerable Code File: `objects/functions.php` ```php $headers = [ 'HTTP_X_REAL_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR' ]; foreach ($headers as $header) { if (!empty($_SERVER[$header])) { $ips = explode(',', $_SERVER[$header]); foreach ($ips as $ipCandidate) { $ipCandidate = trim($ipCandidate); if (filter_var($ipCandidate, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { return $ipCandidate; } } } } ``` ## Attack Scenario 1. Attacker sends request with forged header: ``` X-Client-IP: 127.0.0.1 ``` or ``` X-Real-IP: 192.168.1.1 ``` 2. `getRealIpAddr()` returns the forged IP 3. Any IP-based rate limiting, access control, or audit log that relies on this function is bypassed ## Proof of Concept ```bash curl -H "X-Client-IP: 127.0.0.1" \ https://target.com/any_endpoint.php ``` The server now believes the request came from localhost. ## Impact - Bypass IP-based rate limiting - Bypass IP-based access controls - Forge audit log entries - Potential privilege escalation if localhost is trusted

WWBN AVideo es una plataforma de vídeo de código abierto. En versiones hasta la 26.0 inclusive, la función 'getRealIpAddr()' en 'objects/functions.php' confía en los encabezados HTTP controlados por el usuario para determinar la dirección IP del cliente. Un atacante puede falsificar su dirección IP enviando encabezados falsificados, eludiendo cualquier control de acceso basado en IP o registro de auditoría. El commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contiene un parche.