Tiny File Manager Server-Side Request Forgery Vulnerability in URL Upload Feature

A server-side request forgery (SSRF) vulnerability has been identified in Tiny File Manager versions through 2.6. The issue arises in the 'Upload from URL' feature, where insufficient validation of user-supplied URLs allows authenticated attackers to send crafted requests to localhost or internal services. This could lead to unauthorized access to internal-only services, port scanning, or interaction with cloud metadata services in certain environments.

Impact

Exploitation of this vulnerability allows authenticated users to bypass URL validation and make the server send requests to internal resources. This could include accessing restricted services, internal APIs, or metadata services in cloud environments.

Remediation

To address this vulnerability, it is recommended to disable automatic HTTP redirect following when fetching remote URLs. If redirects must be supported, each redirect target should be manually validated. Additionally, hostnames should be resolved to block requests to loopback addresses, private IP ranges, link-local, and cloud metadata IPs. Implementing outbound network filtering where possible is also advised.