Woahai321 ListSync Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Woahai321 ListSync versions through 0.6.6. The issue arises in the JSON Handler component, specifically within the 'list-sync-main/api_server.py' file, where the 'requests.post' function is used. The vulnerability allows an attacker to send a crafted JSON payload containing a webhook URL, which is then processed without any validation or allowlist checks. This exploitation can be performed remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server to make outbound HTTP requests to an attacker-controlled URL. This could be used for internal network scanning, probing for open ports, or exfiltrating sensitive data from cloud metadata services, such as AWS IMDSv1.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/notifications/test' endpoint with a JSON payload that includes a 'webhook_url' parameter. The value of this parameter should be a URL pointing to a server controlled by the attacker. Once the request is processed, the server will make an outbound HTTP request to the specified URL, which can be verified by checking for DNS callback hits from the server's IP.