Tiny File Manager Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Tiny File Manager versions up to 2.6. The issue arises in the file upload feature within 'filemanager.php', specifically when the 'uploadurl' parameter is manipulated. This vulnerability allows authenticated attackers to bypass the IP blocklist and make the server send HTTP requests to internal resources, including localhost services and cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows access to internal services running on localhost, such as Redis or Elasticsearch, and could be used to exfiltrate data from these services. Additionally, the vulnerability could be exploited to scan internal network ports via response timing.

Reproduction

To reproduce this vulnerability, first create a simulated internal service response by writing a file named 'test.txt' in the '/tmp/' directory with the content 'SSRF_CONFIRMED'. Then, start a PHP server on localhost port 9090, serving files from the '/tmp/' directory. Next, upload a file through the Tiny File Manager's file upload feature, using 'localtest.me' as the 'uploadurl' parameter. This bypasses the application's blocklist and directs the request to the internal PHP server, which responds by confirming the file was fetched and saved. Finally, access the uploaded file through the file manager, which will contain the response from the internal service, verifying the SSRF vulnerability.

Remediation

It is recommended to resolve the hostname to an IP address before comparison, blocking all private or reserved ranges using IP range checks instead of regex. If the URL upload feature is not needed, it can be disabled entirely.