PinchTab Blind Server-Side Request Forgery Vulnerability in Download Endpoint

A blind server-side request forgery (SSRF) vulnerability has been identified in PinchTab versions through 0.8.2. The issue resides in the /download endpoint, where the validateDownloadURL() function only checks the initial user-supplied URL. This oversight allows the embedded Chromium browser to follow attacker-controlled redirects to internal network addresses, accessing private services from the PinchTab host. Exploitation requires security.allowDownload to be enabled, which is off by default.

Impact

Exploitation of this vulnerability allows access to internal-only services from the PinchTab host, potentially triggering state-changing actions on those services without the attacker's knowledge.

Reproduction

To reproduce this vulnerability, first, ensure that PinchTab is running with security.allowDownload set to true. Then, upload a malicious HTML page that redirects to an internal service on the same host as PinchTab. After hosting this page on a publicly accessible server, send a request to the PinchTab /download endpoint with the URL of the hosted page. Once PinchTab processes the request, the embedded browser will follow the redirect to the internal service, bypassing the initial URL validation and creating a blind SSRF condition.

Remediation

Users are advised to update to PinchTab version 0.8.3, where this vulnerability has been patched.