[Security] SSRF Filter Bypass in Upload-from-URL (Potential CVE) #1356
Description
Hello,
I would like to report a security vulnerability affecting the “Upload from URL”
feature of TinyFileManager.
This is an SSRF (Server-Side Request Forgery) filter bypass caused by validating
only the hostname string before DNS resolution. The code attempts to block
localhost, 127.x.x.x and ::1, but an attacker can bypass the protection using
a hostname that resolves to 127.0.0.1 or an internal IP.
✦ Vulnerability Summary
In tinyfilemanager.php:
$domain = parse_url($url, PHP_URL_HOST);
if (preg_match('/localhost|127(?:\.[0-9]+){0,2}\.[0-9]+|::1/i', $domain)) {
blockRequest();
}
Proof of Concept (POC)
1.Add the following entry on the machine where TinyFileManager runs
- 127.0.0.1 tfm-ssrf.local
2.Open TinyFileManager → “Upload from URL”.
3.Submit:
- http://tfm-ssrf.local:8080/anyfile
4.Result
TinyFileManager successfully fetches a file from: 127.0.0.1:8080
Screenshot:
<img width="1699" height="369" alt="Image" src="https://github.com/user-attachments/assets/9a4df25a-4a9e-4baa-959d-3d16f5617c61" />
✦ Impact
-Access to localhost/internal HTTP services
-Potential data exposure inside private environment
-Possible RCE if internal services are writable
-High severity in real deployments