Hi, there is an SSRF vulnerability in
api/geturl.php, users are asked to enter an URL and the server will fetch it and store it in the tmp folder of the app.
However, no check is performed in the
$url variable to ensure it doesn't point to internal resources.
$url = trim($_REQUEST['url']);//no checks in the url variable if(!$url || !startsWith($url, 'http')) exit(json_encode(array('status'=>'err','reason'=>'Invalid URL'))); /**/ $name = basename($url); $tmpfile = ROOT.DS.'tmp'.DS.$name; file_put_contents($tmpfile,file_get_contents($url));
If a user visits a local url like :
Then the server will fetch the content served by the localhost and store it in
Same goes for cloud instances metadata located in
http://169.254.169.254/latest/meta-data/ for example.
If cloud instances are used in the same environement of the app, attackers can abuse this app and retrive sensitive data located in internal networks.