Open Redirect on Rudloff/alltube in rudloff/alltube


Reported on

Feb 18th 2022


Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. is vulnerable to open redirects as shown below:

Proof of concept

Vuln variable: $_SERVER['REQUEST_URI']

if (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], '/index.php') !== false) {
    header('Location: ' . str_ireplace('/index.php', '/', $_SERVER['REQUEST_URI']));


In a browser perform a request to index.php resource:


Observe the user is redirected to


This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.


We are processing your report and will contact the rudloff/alltube team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a 3 months ago
Pierre Rudloff validated this vulnerability 3 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pierre Rudloff confirmed that a fix has been merged on bc14b6 3 months ago
The fix bounty has been dropped
index.php#L8-L9 has been validated
to join this conversation