CVE-2024-39899: 
PHP vulnerability analysis and mitigation

PrivateBin, an online pastebin service where the server has zero knowledge of pasted data, introduced a vulnerability in version 1.5 through version 1.7.3 (CVE-2024-39899). The vulnerability was discovered in the YOURLS server-side proxy feature, which was designed to allow URL shortening without requiring authentication or exposing authentication tokens. The issue was reported on June 28, 2024, and was patched in version 1.7.4 (GitHub Advisory).

The vulnerability stems from improper filtering of URLs in the YOURLS proxy implementation. The guard clause checking whether the URL to be shortened belongs to the PrivateBin domain only verified if the PrivateBin instance URL was contained in the target URL, rather than ensuring it started with it. This incomplete filtering mechanism allowed attackers to bypass the URL filter and shorten URLs for other domains, as long as they contained the PrivateBin instance URL somewhere in the string. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability only affects non-standard configurations where URL shortening is enabled, a YOURLS URL shortener is configured as non-public with authentication, and the YOURLS proxy mechanism is configured with an authentication token. When exploited, it allows attackers to create shortened URLs pointing to arbitrary domains, potentially facilitating phishing campaigns by hiding malicious URLs behind trusted shortener domains (GitHub Advisory).

The vulnerability has been patched in PrivateBin version 1.7.4. Users are advised to upgrade to this version immediately. As a workaround, administrators can disable URL shortening functionality entirely. For those who must continue using URL shortening, it's recommended to check YOURLS proxy logs for shortened domains that don't start with their PrivateBin instance URL (GitHub Advisory).