Server-Side Request Forgery (SSRF) in chocobozzz/peertube

Valid

Reported on

Feb 5th 2022

Description

First of all, Thanks to my friend Haxatron for his excellent report

I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address

Steps to reproduce

first, set up a local server at 127.0.0.2:8000 and put a media file on it named 1.mp4.

second, use the following URL to import A video with URL upload when you want to publish a video:

http://a.domain.pointing.to.127.0.0.2:8000/1.mp4

Impact

You can see that the local server files can be enumerated, and even if there is any media file with a guessable name, it can be leaked through the URL download procedure.

Occurrences

video-imports.ts L78

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a year ago

We have contacted a member of the chocobozzz/peertube team and are waiting to hear back a year ago

chocobozzz validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

chocobozzz marked this as fixed in Not released yet with commit f33e51 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

video-imports.ts#L78 has been validated

to join this conversation