Wallos Incomplete Server-Side Request Forgery (SSRF) Fix Vulnerability

A vulnerability exists in Wallos, a personal subscription tracker, in versions prior to 4.8.4. The issue arises from an incomplete fix for server-side request forgery (SSRF) vulnerabilities. While webhook URLs are validated using 'gethostbyname()', the original hostname is passed to cURL without 'CURLOPT_RESOLVE' pinning on 10 of 11 outbound HTTP endpoints. This oversight creates a time-of-check to time-of-use (TOCTOU) vulnerability, allowing DNS rebinding attacks. At the time of publication, no patches are available.

Impact

Exploitation of this vulnerability allows an attacker to bypass the SSRF validation, leading to unauthorized access of internal services through the application's webhook and notification endpoints.

Reproduction

The vulnerability can be reproduced by sending a request to a webhook URL that is first resolved to a public IP address (which passes the SSRF validation) and then rebounded to a private IP address (such as localhost or a metadata service) when the cURL request is made. This can be done by controlling a DNS server that alternates the IP resolution.

Remediation

To address this vulnerability, 'CURLOPT_RESOLVE' should be used to pin the hostname to the validated IP address for all cURL requests. Additionally, the 'is_cgnat_ip()' function should be updated to handle IPv6-mapped addresses.