CVE-2019-12161

Name of the Vulnerable Software and Affected Versions WPO WebPageTest version 19.04

Description The issue allows for Server-Side Request Forgery (SSRF) due to the ValidateURL function in www/runtest.php not properly handling octal encoding of IP addresses. For example, an IP address like 192.168 can be represented in octal as 0300.0250, which is not correctly considered by the validation.

Recommendations For WPO WebPageTest version 19.04, consider modifying the ValidateURL function to correctly handle octal encoding of IP addresses to prevent SSRF attacks. As a temporary workaround, restrict access to the www/runtest.php script until a proper fix is implemented.