Wallos SSRF Vulnerability in Notification Webhook URL Handling

A server-side request forgery (SSRF) vulnerability has been identified in Wallos, a personal subscription tracker, prior to version 4.7.0. The issue arises because the SSRF protection implemented in version 4.6.2 is incomplete. While the 'validate_webhook_url_for_ssrf()' function was added to the 'test*' notification endpoints, it was not applied to the corresponding 'save*' endpoints. This oversight allows authenticated users to save internal or private IP addresses as notification URLs. When the cron job 'sendnotifications.php' runs, it sends requests to these internal IPs without any SSRF validation, potentially exposing sensitive data.

Impact

Exploitation of this vulnerability creates a blind SSRF condition, allowing authenticated users to access internal network resources. In cloud environments, such as AWS, GCP, or Azure, this could involve reaching instance metadata endpoints, where sensitive information like IAM credentials or API keys could be retrieved.

Reproduction

To reproduce this vulnerability, an authenticated user can save a webhook notification URL that points to an internal IP address, such as the AWS metadata endpoint. This can be done using a POST request to the 'savewebhooknotifications.php' endpoint, including the internal URL in the request payload. Once the URL is saved, the cron job 'sendnotifications.php' can be executed, which will send a request to the internal IP without any SSRF validation.

Remediation

Users are advised to update to Wallos version 4.7.0, where this vulnerability has been addressed.