SourceCodester SEO Meta Tag Extractor Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in SourceCodester SEO Meta Tag Extractor version 1.0. The issue arises in the 'fetchMetaTags' function within 'index.php', where user-supplied URLs are processed by 'get_headers' and 'file_get_contents' without proper validation. This oversight allows remote attackers to access internal services via loopback or private IP addresses. The vulnerability is exacerbated by 'file_get_contents' following HTTP redirects, potentially leading to the exposure of sensitive internal data. The flaw has been publicly disclosed and is available for exploitation.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to access and read data from internal services that are not exposed to the public internet. This includes loopback services, private network resources, and, in cloud environments without IMDSv2 enforcement, sensitive metadata such as AWS IAM credentials. The vulnerability also bypasses IP-based access controls and defeats naive URL blacklists by using controlled redirects.

Reproduction

To reproduce this vulnerability, deploy the SEO Meta Tag Extractor on a server with an internal service accessible only via the loopback interface. After confirming that the internal service is not reachable from the outside, send a POST request to 'index.php' with a URL parameter pointing to the internal service. The response will include the fetched internal content, demonstrating the SSRF exploitation.

Remediation

To address this vulnerability, implement a scheme allowlist to accept only 'http' and 'https' URLs, reject private and loopback addresses, disable automatic HTTP redirect following, and set request timeouts and content length limits. SourceCodester has been notified about this vulnerability.