Wallos Proxy Hijacking Vulnerability Leading to Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in Wallos, a personal subscription tracker, in versions prior to 4.7.0. The issue arises in the 'endpoints/logos/search.php' file, where the application accepts HTTP_PROXY and HTTPS_PROXY environment variables without proper validation. This lack of validation allows attackers to manipulate DNS resolutions and redirect outbound requests through malicious proxies, potentially accessing internal services or exfiltrating data via DNS.

Impact

Exploitation of this vulnerability allows for general server-side request forgery (SSRF) impacts, with the added risk of proxy hijacking, which can be used to access internal network services or perform DNS-based out-of-band attacks for data exfiltration.

Reproduction

To reproduce this vulnerability, send a request to the 'endpoints/logos/search.php' with a crafted 'search' parameter. The server will resolve the domain via DNS and, if the HTTP_PROXY or HTTPS_PROXY environment variable is set, it will route the request through the specified proxy. This can be combined with a DNSLog listener to capture the DNS resolution, demonstrating the SSRF via proxy hijacking.

Remediation

Users are advised to update to Wallos version 4.7.0 or later, where this vulnerability has been patched.