changedetection.io path traversal using file URI scheme without supplying hostname
High severity
GitHub Reviewed
Published
Nov 7, 2024
in
dgtlmoon/changedetection.io
•
Updated Nov 8, 2024
Description
Published to the GitHub Advisory Database
Nov 7, 2024
Reviewed
Nov 7, 2024
Published by the National Vulnerability Database
Nov 8, 2024
Last updated
Nov 8, 2024
Summary
The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and
ALLOW_FILE_URI
false or not defined.Details
The check used for URL protocol,
is_safe_url
, allowsfile:
as a URL scheme:https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13
It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with
file://
. The issue comes with the fact that the file URI scheme is not required to have double slashes.https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/processors/__init__.py#L37-L41
PoC
file:/etc/passwd
or a similar path for your operating system. Enable webdriver modeReferences