Summary
---------
YetiShare is script the file hosting. This script has remote file upload feature.
Since sufficient security measures are not taken in the remote file upload area,
SSRF vulnerability available.
Description
---------
When a new upload request is received by the user, the following function block
is called first.
app/tasks/process_remote_file_downloads.cron.php
------------------------------------------------
// include plugin code
$url = $urlDownloadData['url'];
$params = PluginHelper::includeAppends('url_upload_handler', array(
'url' => $url,
'rowId' => 0,
'urlDownloadData' => $urlDownloadData,
)
);
$url = $params['url'];
The url parameter received as input from the user in the called function blog is
sent to the "handleRemoteUrlUpload" function.
/Users/numan/Desktop/file-hosting-script-v5.0.0-beta/app/services/
Uploader.class.php
------------------------------------------------------------------
public function handleRemoteUrlUpload($url, $rowId = 0) {
.....
$remoteFileDetails = $this->getRemoteFileDetails($url);
$remoteFilesize = (int) $remoteFileDetails['bytes'];
if ($remoteFilesize > $this->options['max_file_size']) {
.....ERROR MSG
}
else {
// look for real filename if passed in headers
if (strlen($remoteFileDetails['real_filename'])) {
$realFilename = trim(current(explode(';',
$remoteFileDetails['real_filename'])));
if (strlen($realFilename)) {
$this->fileUpload->name = $realFilename;
}
}
// try to get the file locally
$localFile = $this->downloadRemoteFile($url, true);
------------------------------------------------------------------
In this function that is called, the details of the file are taken first and if
the bytes is not larger than the max_file_size, the "downloadRemoteFile"
function will go to the download.
------------------------------------------------------------------
public function getRemoteFileDetails($url) {
.....
$execute = curl_exec($ch);
// check if any error occured
if (!curl_errno($ch)) {
$rs['bytes'] = (int) curl_getinfo($ch,
CURLINFO_CONTENT_LENGTH_DOWNLOAD);
.....
------------------------------------------------------------------
------------------------------------------------------------------
public function downloadRemoteFile($url, $streamResponse = false) {
.....
// use curl
if (function_exists('curl_init')) {
// get file via curl
$fp = fopen($tmpFullPath, 'w+');
if ($ch === null) {
$ch = curl_init();
}