changedetection.io Unauthenticated Local File Read Vulnerability via Static Path Traversal

A path traversal vulnerability has been identified in changedetection.io, a web page change detection tool, in versions prior to 0.53.2. The issue arises in the '/static/<group>/<filename>' route, where the 'group' parameter is not properly sanitized. This flaw allows for directory traversal by including '../', enabling unauthenticated users to read application source files, such as 'flask_app.py'. The vulnerability is limited to files within the application package directory and cannot access arbitrary system paths.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive application source files, which could expose internal logic and facilitate further attacks.

Reproduction

The vulnerability can be reproduced by sending a request to the '/static/<group>/<filename>' route with a 'group' parameter that includes dots for directory traversal. This can be done using curl, either with URL-encoded traversal or by using the '--path-as-is' option to bypass normal path sanitization. The response will include the contents of the 'flask_app.py' file, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update to changedetection.io version 0.53.2 or later, where this vulnerability has been fixed.