Wallos Blind SSRF Vulnerability in Subscription and Payment Endpoints

A server-side request forgery (SSRF) vulnerability has been identified in Wallos versions prior to 4.8.1. The issue arises in the subscription and payment endpoints, where the SSRF protection fails to properly validate IP addresses within the Carrier-Grade NAT (CGNAT) range of 100.64.0.0/10. This oversight allows authenticated users to exploit the application by sending requests to internal services through Tailscale or other CGNAT environments. The vulnerability exists because the inline IP validation does not block CGNAT addresses, leaving a gap that can be exploited.

Impact

Exploitation of this vulnerability allows for blind SSRF, where the server makes HTTP requests to internal services within the CGNAT range, potentially leading to unauthorized access or manipulation of those services.

Reproduction

To reproduce this vulnerability, first verify that the Wallos application is running version 4.8.0. After logging in as an authenticated user, add a subscription through the 'endpoints/subscription/add.php' endpoint. Include a logo URL that points to an internal service using a CGNAT address, such as 100.64.0.1. The server will then make a request to the specified internal service, demonstrating the SSRF vulnerability.

Remediation

Users can update to Wallos version 4.8.1, which addresses the SSRF vulnerability by implementing a proper validation check for CGNAT IP addresses in the affected endpoints.