Server-Side Request Forgery (SSRF) in HaschekSolutions/pictshare

Valid
Reported on Jun 7th 2021

✍️ Description

Hi, there is an SSRF vulnerability in pictshare. In api/geturl.php, users are asked to enter an URL and the server will fetch it and store it in the tmp folder of the app. However, no check is performed in the $url variable to ensure it doesn't point to internal resources.

$url = trim($_REQUEST['url']);//no checks in the url variable

if(!$url || !startsWith($url, 'http'))
    exit(json_encode(array('status'=>'err','reason'=>'Invalid URL')));
    
/**/

$name = basename($url);
$tmpfile = ROOT.DS.'tmp'.DS.$name;
file_put_contents($tmpfile,file_get_contents($url));

If a user visits a local url like : http://192.168.169.103/pictshare/api/geturl.php?url=http://127.0.0.1 Then the server will fetch the content served by the localhost and store it in http://192.168.169.103/pictshare/tmp/127.0.0.1

Same goes for cloud instances metadata located in http://169.254.169.254/latest/meta-data/ for example. If cloud instances are used in the same environement of the app, attackers can abuse this app and retrive sensitive data located in internal networks.