CVE-2024-39899
📋 TL;DR
This vulnerability in PrivateBin v1.5-1.7.3 allows attackers to bypass the YOURLS proxy restriction and shorten arbitrary URLs, not just those pointing to the configured PrivateBin instance. It affects PrivateBin installations with the YOURLS proxy feature enabled. The vulnerability defeats the intended security boundary that should only allow shortening URLs for the PrivateBin instance itself.
💻 Affected Systems
- PrivateBin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the PrivateBin instance as a proxy to shorten malicious URLs, potentially enabling phishing campaigns or distributing malware through what appears to be legitimate PrivateBin links.
Likely Case
Unauthorized URL shortening could lead to abuse of the YOURLS service, potentially causing reputation damage or resource consumption if the shortener service has usage limits.
If Mitigated
If the YOURLS proxy feature is disabled or properly configured with authentication, the impact is minimal as the vulnerability only affects this specific functionality.
🎯 Exploit Status
Exploitation requires network access to the PrivateBin instance with YOURLS proxy enabled. No authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4
Vendor Advisory: https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j
Restart Required: Yes
Instructions:
1. Backup your PrivateBin installation and configuration. 2. Download PrivateBin v1.7.4 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Restart your web server (Apache/Nginx) and PHP-FPM if applicable.
🔧 Temporary Workarounds
Disable YOURLS Proxy Feature
allTemporarily disable the YOURLS proxy functionality until patching is possible
Edit your PrivateBin configuration file (cfg/conf.php) and set 'urlshortener' to null or remove YOURLS configuration
🧯 If You Can't Patch
- Disable the YOURLS proxy feature entirely in configuration
- Implement network-level restrictions to limit access to the PrivateBin instance
🔍 How to Verify
Check if Vulnerable:
Check if your PrivateBin version is between 1.5 and 1.7.3 AND has YOURLS proxy enabled in configurationCheck Version:
Check the version in PrivateBin's index.php file or via the web interface footerVerify Fix Applied:
Verify version is 1.7.4 or later and test that URL shortening only works for PrivateBin instance URLs📡 Detection & Monitoring
Log Indicators:
- Unusual URL shortening requests, especially for non-PrivateBin domains
- Multiple failed or successful YOURLS proxy requests from single IPs
Network Indicators:
- HTTP POST requests to /yourlsproxy endpoint with external URLs
- Unusual traffic patterns to YOURLS service
SIEM Query:
source="privatebin_logs" AND (url="*yourlsproxy*" AND NOT url="*your-privatebin-domain*")🔗 References
- https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4
- https://github.com/PrivateBin/PrivateBin/pull/1370
- https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j
- https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4
- https://github.com/PrivateBin/PrivateBin/pull/1370
- https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j
