A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to insufficient sanitization of user-supplied input for the `path` parameter, allowing an attacker to specify arbitrary file system paths. This flaw enables direct arbitrary file uploads, leakage of `personal_data`, and overwriting of configurations in `lollms-webui`->`configs` by exploiting the same named directory in `personal_data`. The issue affects the latest version of the application and is fixed in version 9.4. Successful exploitation could lead to sensitive information disclosure, unauthorized file uploads, and potentially remote code execution by overwriting critical configuration files.
The vulnerability is located in the `@router.get("/switch_personal_path")` endpoint in the `lollms_core/lollms/server/endpoints/lollms_user.py` file. The `path` parameter passed by the user is not properly validated or sanitized, allowing an attacker to specify any path in the file system (CWE-22, CWE-29). The exploit enables direct file uploads to selected locations, data leakage from the `personal_data` directory, and configuration overwriting in the `configs` directory through use of an identically named directory in `personal_data`. Overwriting critical configuration files can lead to arbitrary code execution (RCE).
An attacker can gain access to sensitive user data, upload arbitrary files to the server, overwrite application configuration files, and consequently lead to remote code execution (RCE) on the server hosting the application.
The lollms-webui application should be updated to version 9.4 or newer, in which the vulnerability has been fixed. The patch is available in commit aeba79f3ea934331b8ecd625a58bae6e4f7e7d3f in the manufacturer's GitHub repository.
The parisneo/lollms-webui application — versions prior to 9.4 (vulnerability present in the latest version at the time of publication).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLollms Web Ui
APPLollms< 9.4
Related vulnerabilities
SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów
Path traversal w API install/uninstall lollms-webui V12 (Strawberry)
Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku
Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui
Command Injection w lollms-webui — obejście zabezpieczeń i RCE