Server-Side Request Forgery (SSRF) in athlon1600/youtube-downloader

Valid

Reported on

Mar 2nd 2022

Description

youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser.

Proof of Concept

GET /youtube-downloader/public/stream.php?url=http://localhost/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost
User-Agent: HTTPie/2.4.0

Impact

On a publicly accessible instance of youtube-downloader, this vulnerability can allow an attacker to retrieve sensitive information hosted on the internal network.

We are processing your report and will contact the athlon1600/youtube-downloader team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the athlon1600/youtube-downloader team and are waiting to hear back a year ago

We have sent a follow up to the athlon1600/youtube-downloader team. We will try again in 7 days. a year ago

athlon1600 validated this vulnerability a year ago

Pierre Rudloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

athlon1600 marked this as fixed in v3.1.1 with commit 6ffe82 a year ago

athlon1600 has been awarded the fix bounty

This vulnerability will not receive a CVE

Pierre Rudloff

commented a year ago

Researcher

I don't think this is properly fixed, stream.php can still be used to fetch an internal resource. It should probably only allow requests to specific domains.

to join this conversation