changedetection.io XPath XML Parsing Vulnerability Leading to XML External Entity Injection

A vulnerability allowing XML External Entity (XXE) injection has been identified in changedetection.io versions through 0.54.9. The issue arises in the 'xpath_filter()' function, which processes XML/RSS content without properly securing external entity resolution. This flaw allows untrusted XML to be parsed in a way that could expose sensitive local files through entity expansion, depending on the runtime environment.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive local files, which would be included in the application's watch output, diff history, and notification channels.

Reproduction

To reproduce this vulnerability, monitor a URL that returns untrusted XML or RSS content. Ensure that the XPath include filter is activated, which will trigger the vulnerable XML parsing. The default behavior of the XML parser in the current runtime must allow external entity expansion. If these conditions are met, the vulnerability can be exploited by including external entity declarations in the XML response that the parser is allowed to expand, potentially leading to local file disclosure.

Remediation

Users can address this vulnerability by hardening the XML parser settings to disable entity resolution, DTD loading, and network access. It is also recommended to reject DOCTYPE or entity declarations in untrusted XML unless DTD features are needed.