Server-Side Request Forgery (SSRF) in HaschekSolutions/pictshare

Reported on Jun 7th 2021

✍️ Description

Hi, there is an SSRF vulnerability in pictshare. In api/geturl.php, users are asked to enter an URL and the server will fetch it and store it in the tmp folder of the app. However, no check is performed in the $url variable to ensure it doesn't point to internal resources.

$url = trim($_REQUEST['url']);//no checks in the url variable

if(!$url || !startsWith($url, 'http'))
    exit(json_encode(array('status'=>'err','reason'=>'Invalid URL')));

$name = basename($url);
$tmpfile = ROOT.DS.'tmp'.DS.$name;

If a user visits a local url like : Then the server will fetch the content served by the localhost and store it in

Same goes for cloud instances metadata located in for example. If cloud instances are used in the same environement of the app, attackers can abuse this app and retrive sensitive data located in internal networks.