SSRF security failure

[JoeoJ]

Nice job man (sorry for the english) ! On your demo site https://unblockvideos.com/ I found a SSRF failure. I don't know if it is the good place to share this but if you type http://localhost/server-status you can see the problem... Filtering requested URLs through the proxy and disable Apache mod_status from localhost could be a good idea.

And with str_rot_pass() function in https://github.com/Athlon1600/php-proxy/blob/master/src/helpers.php, an attacker could compare a plain text request with the corresponding cyphertext returned by the proxy, and retrieving secret key (by substracting each chars). With this key he can create custom queries, for example launch a port scanning on localhost. You can for example append a HTAG in the proxied URLs.