Server-Side Request Forgery (SSRF) in athlon1600/youtube-downloader
Mar 2nd 2022
youtube-downloader takes an URL from the
url query parameter, passes it directly to curl and streams the response to the browser.
This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser.
Proof of Concept
GET /youtube-downloader/public/stream.php?url=http://localhost/ Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: localhost User-Agent: HTTPie/2.4.0
On a publicly accessible instance of youtube-downloader, this vulnerability can allow an attacker to retrieve sensitive information hosted on the internal network.
We are processing your report and will contact the athlon1600/youtube-downloader team within 24 hours. a year ago
We have contacted a member of the athlon1600/youtube-downloader team and are waiting to hear back a year ago
We have sent a follow up to the athlon1600/youtube-downloader team. We will try again in 7 days. a year ago
athlon1600 validated this vulnerability a year ago
Pierre Rudloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
athlon1600 marked this as fixed in v3.1.1 with commit 6ffe82 a year ago
This vulnerability will not receive a CVE
commented a year ago
I don't think this is properly fixed,
stream.php can still be used to fetch an internal resource.
It should probably only allow requests to specific domains.
to join this conversation