Published Date: December 28, 2024
Package | Affected Versions | Patched Versions | Severity |
---|---|---|---|
📦 changedetection.io (pip) | < 0.48.05 | 0.48.05 | High |
Description
Summary
Improper input validation in
changedetection.io
allows attackers to exploit Local File Read (LFR) and path traversal vulnerabilities. Attackers can manipulate file paths using specially crafted input, such as file:../../../etc/passwd
, to access sensitive files.While previous patches attempted to address this issue, they remain insufficient, as attackers can still bypass checks using variations like:
file:../../../../etc/passwd
file: ///etc/passwd
(with an extra space before/
)
Vulnerability Details
The problematic code lies in this validation check:
This regex aims to block
file:/
access but fails to account for variations attackers might use, such as extra spaces or repeated ../
.Exploitation Example:
- Run an instance of
changedetection.io
with a webdriver. - Create a new watch with:
file:../../../../etc/passwd
. - Preview the watch.
- The contents of
/etc/passwd
will be displayed.
Patches & Workarounds
Potential Fix
Strengthen the regex validation and ensure strict path sanitization. Example:
Additionally:
- Validate inputs against an allowlist.
- Use secure libraries or built-in utilities for path handling.
Recommendation: Upgrade to version 0.48.05 immediately.