Path Traversal in parisneo/lollms-webui

Vulnerability

Overview

CVE-2024-6971 is a path traversal vulnerability in the lollms-webui repository, specifically in the lollms_file_system.py file. The functions add_rag_database, toggle_mount_rag_database, and vectorize_folder fail to implement proper path sanitization measures such as sanitize_path_from_endpoint or sanitize_path [1]. This oversight allows an attacker to specify arbitrary file paths, bypassing intended directory restrictions.

Exploitation

An attacker can exploit this vulnerability by sending crafted requests that target .sqlite files located in any directory on the victim's computer. The lack of input validation means that the vectorize_folder function can be directed to process files outside the intended data store directories [1]. The attack does not require elevated privileges beyond the ability to interact with the web UI's API endpoints.

Impact

Successful exploitation enables the attacker to perform vectorize operations on arbitrary .sqlite files, which can lead to the installation of multiple packages and ultimately cause a crash of the application [1]. This could result in denial of service and potentially allow further compromise depending on the packages installed. The vulnerability was reported via the Huntr bug bounty platform [3].

Mitigation

As of the publication date, no official patch has been released. Users are advised to monitor the repository for updates and apply any security fixes promptly. Restricting network access to the web UI and implementing additional input validation can serve as temporary mitigations.