Server-Side Request Forgery (SSRF) in athlon1600/youtube-downloader
Mar 2nd 2022
youtube-downloader takes an URL from the
url query parameter, passes it directly to curl and streams the response to the browser.
This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser.
Proof of Concept
GET /youtube-downloader/public/stream.php?url=http://localhost/ Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: localhost User-Agent: HTTPie/2.4.0
On a publicly accessible instance of youtube-downloader, this vulnerability can allow an attacker to retrieve sensitive information hosted on the internal network.