A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter. Attackers can exploit this by crafting a payload that includes relative path traversal sequences ('../../../'), enabling them to navigate to arbitrary directories. This flaw subsequently allows the server to load and execute a malicious '__init__.py' file, leading to remote code execution. The issue affects the latest version of parisneo/lollms-webui.
The attacker sends a crafted request to the '/apply_settings' endpoint, providing path traversal sequences (e.g., '../../../') in the 'extensions' parameter, which allow escaping the permitted directory. The server, without properly validating the path, loads the '__init__.py' file indicated by the attacker from any location in the file system. Loading this file results in execution of the malicious code contained within it with the privileges of the server process. The vulnerability results from insufficient validation of configuration data supplied by the user.
An attacker can remotely execute arbitrary code on the server without authentication, leading to complete system compromise, data theft, and potential lateral movement within the network.
Apply patches available from the vendor according to the references. As a temporary measure, it is recommended to restrict network access to the lollms-webui interface exclusively to trusted IP addresses and avoid exposing the service on public networks.
The latest version of parisneo/lollms-webui (lollms Web UI) available at the time of vulnerability publication (2024-05-16)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLollms Web Ui
APPLollms< 9.5
Related vulnerabilities
SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów
Path traversal w API install/uninstall lollms-webui V12 (Strawberry)
Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku
Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui
Path Traversal prowadzący do RCE w parisneo/lollms-webui