SSRF in rompager-check

## Summary The script `rompager.php` does not restrict which hosts can be requested. Thereby, an attacker can send HTTP requests to localhost and other servers of the same local network segment, on port 80 and 7547. ## Description In `rompager.php`, the value of `CURLOPT_URL` is fully controlled: ```php <?php // [...] function checkHost($ip, $port) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://".$ip); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 1); curl_setopt($ch, CURLOPT_HEADER, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_PORT, $port); $data = curl_exec($ch); // [...] } else { $ip = $_GET['ip']; } output("<h4>Port 80</h4>\n"); checkHost($ip, 80); output("<h4>Port 7547</h4>\n"); checkHost($ip, 7547); ``` ## Steps To Reproduce 1. Access https://rompager.hboeck.de/?ip=localhost; 1. Notice that *No RomPager found* is shown under *Port 80*. ## Impact An attacker could force `rompager.hboeck.de` to perform HTTP requests to localhost or servers of the same local network segment.