SourceCodester Website Link Extractor Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in SourceCodester Website Link Extractor version 1.0. The issue arises in the URL Handler component, where user-supplied URLs are processed by the `file_get_contents` function without adequate validation or restrictions. This flaw enables remote attackers to manipulate requests that the server sends, potentially accessing internal resources or services.

Impact

Exploitation of this vulnerability allows attackers to access and interact with internal network services, including localhost applications and cloud metadata endpoints. This could lead to unauthorized access to sensitive information or internal infrastructure.

Reproduction

To reproduce this vulnerability, upload the application to a server and access it through a web browser. Enter a URL pointing to an internal resource, such as 'http://127.0.0.1:80', and click the 'Extract Links' button. The server will fetch the content from the internal URL, demonstrating the SSRF vulnerability. Alternatively, a URL like 'http://127.0.0.1@evil.com' can be used to bypass any basic URL validation and access internal resources.