changedetection.io Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in changedetection.io versions prior to 0.54.1. The issue arises because the URL validation function 'is_safe_valid_url()' fails to check the resolved IP addresses of watch URLs against private, loopback, or link-local address ranges. This oversight allows authenticated users, or any user on instances without a password (the default setting), to add watches for internal network URLs. The application then fetches these URLs server-side, stores the response content, and displays it through the web UI, facilitating data exfiltration from internal services. This vulnerability is particularly critical as the fetched content is stored and accessible to the user, creating a persistent SSRF that regularly accesses internal resources. Moreover, the lack of a default password means the web UI is open to anyone with network access.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal services and data. In cloud environments, it could lead to the theft of sensitive metadata, such as IAM credentials, which could be exploited for further access or actions within the cloud account.

Reproduction

To reproduce this vulnerability, deploy changedetection.io (version 0.53.1 or earlier) on a server without a password. Once the application is running, add a watch for an internal URL, such as one pointing to the cloud metadata service. After the watch is created, the application will fetch the URL's content and make it available through the UI, demonstrating the data exfiltration aspect of the vulnerability.

Remediation

Users can update to changedetection.io version 0.54.1 or later, where this vulnerability has been patched.