Wallos Server-Side Request Forgery Vulnerability in Logo Upload Functionality

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Wallos, an open-source personal subscription tracker, in versions through 4.6.0. The vulnerability resides in the subscription and payment logo upload features. The application initially validates the IP address of the provided URL but allows HTTP redirects, enabling attackers to bypass this validation and access internal resources, including cloud metadata endpoints. This flaw occurs because the cURL request follows redirects without re-validating the destination IP, potentially leading to unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for cloud metadata exfiltration, internal network scanning, and data exfiltration by saving retrieved data as a file that can be accessed through the application's user interface.

Reproduction

To reproduce this vulnerability, upload a logo by sending a POST request to the 'endpoints/subscription/add.php' or 'endpoints/payments/add.php' with a URL that points to an attacker-controlled server. This server should return a redirect to an internal metadata endpoint. Once the logo is uploaded, the response from the metadata endpoint will be saved as a PNG file in the 'images/uploads/logos/' directory, which can be accessed through the Wallos application interface.

Remediation

Users are advised to update to Wallos version 4.6.1, where this vulnerability has been fixed. For those unable to update, consider disabling redirect following in cURL requests or using CURLOPT_RESOLVE to pin the IP address before following redirects.