[GH-ISSUE #1356] [Security] SSRF Filter Bypass in Upload-from-URL (Potential CVE) #861

New issue

Open

opened 2026-03-02 16:01:52 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 16:01:52 +03:00

Owner

Originally created by @anuphong-github on GitHub (Nov 24, 2025).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1356

Hello,

I would like to report a security vulnerability affecting the “Upload from URL”
feature of TinyFileManager.

This is an SSRF (Server-Side Request Forgery) filter bypass caused by validating
only the hostname string before DNS resolution. The code attempts to block
localhost, 127.x.x.x and ::1, but an attacker can bypass the protection using
a hostname that resolves to 127.0.0.1 or an internal IP.

✦ Vulnerability Summary

In tinyfilemanager.php:

$domain = parse_url($url, PHP_URL_HOST);
if (preg_match('/localhost|127(?:\.[0-9]+){0,2}\.[0-9]+|::1/i', $domain)) {
    blockRequest();
}

Proof of Concept (POC)
1.Add the following entry on the machine where TinyFileManager runs
    - 127.0.0.1   tfm-ssrf.local
    
2.Open TinyFileManager → “Upload from URL”.

3.Submit:
- http://tfm-ssrf.local:8080/anyfile

4.Result
TinyFileManager successfully fetches a file from:  127.0.0.1:8080

Screenshot:
<img width="1699" height="369" alt="Image" src="https://github.com/user-attachments/assets/9a4df25a-4a9e-4baa-959d-3d16f5617c61" />


✦ Impact
-Access to localhost/internal HTTP services
-Potential data exposure inside private environment
-Possible RCE if internal services are writable
-High severity in real deployments

Originally created by @anuphong-github on GitHub (Nov 24, 2025). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1356 Hello, I would like to report a security vulnerability affecting the “Upload from URL” feature of TinyFileManager. This is an SSRF (Server-Side Request Forgery) filter bypass caused by validating only the *hostname string* before DNS resolution. The code attempts to block localhost, 127.x.x.x and ::1, but an attacker can bypass the protection using a hostname that resolves to 127.0.0.1 or an internal IP. --- ### ✦ Vulnerability Summary In `tinyfilemanager.php`: ```php $domain = parse_url($url, PHP_URL_HOST); if (preg_match('/localhost|127(?:\.[0-9]+){0,2}\.[0-9]+|::1/i', $domain)) { blockRequest(); } Proof of Concept (POC) 1.Add the following entry on the machine where TinyFileManager runs - 127.0.0.1 tfm-ssrf.local 2.Open TinyFileManager → “Upload from URL”. 3.Submit: - http://tfm-ssrf.local:8080/anyfile 4.Result TinyFileManager successfully fetches a file from: 127.0.0.1:8080 Screenshot: <img width="1699" height="369" alt="Image" src="https://github.com/user-attachments/assets/9a4df25a-4a9e-4baa-959d-3d16f5617c61" /> ✦ Impact -Access to localhost/internal HTTP services -Potential data exposure inside private environment -Possible RCE if internal services are writable -High severity in real deployments