changedetection.io Arbitrary Local File Read Vulnerability via Crafted Backup Restore

A vulnerability allowing arbitrary local file read has been identified in changedetection.io, prior to version 0.55.1. This issue arises from the application's backup restore process, which improperly trusts snapshot paths controlled by attackers. When a backup ZIP file is restored, the application extracts the archive and directly copies the restored watch UUID directories into the live datastore. This process preserves any attacker-controlled files, such as 'history.txt', within the restored watch directory. After the restoration, the application parses 'history.txt' and returns the contents of the specified local file, effectively allowing access to sensitive system files or application data.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of arbitrary local files, including core operating system files, application data from the datastore directory, and sensitive secrets or configuration files accessible to the application process.

Reproduction

To reproduce this vulnerability, first create a watch in the changedetection.io application and ensure it has generated a valid history entry. Next, create a backup of the watch and extract the backup archive. Locate the watch UUID directory that contains the 'history.txt' file, and edit 'history.txt' to include a path to a readable local file, such as '/etc/passwd'. Repack the backup archive, ensuring the UUID directories are at the root of the ZIP file. Finally, restore the modified backup in the application, which will read the attacker-controlled path from 'history.txt' and display the contents of the referenced file.

Remediation

Users should update to changedetection.io version 0.55.1 or later, where this vulnerability has been fixed.