CVE-2024-10047
📋 TL;DR
This vulnerability allows attackers to list arbitrary directories on Windows systems running vulnerable versions of lollms-webui. By sending a specially crafted HTTP request to the /open_file endpoint, attackers can enumerate directory contents without authentication. This affects all users running lollms-webui versions v9.9 through the latest at the time of disclosure.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate sensitive directories, discover configuration files, credentials, or other sensitive data, potentially leading to further exploitation.
Likely Case
Directory enumeration revealing system structure, potentially exposing sensitive file locations or configuration details.
If Mitigated
Limited information disclosure with proper access controls and network segmentation in place.
🎯 Exploit Status
Exploitation requires only a simple HTTP request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest release after CVE publication
Vendor Advisory: https://huntr.com/bounties/69c3a27c-bd93-4aff-a46b-56798f28a3ce
Restart Required: Yes
Instructions:
1. Update to the latest patched version of lollms-webui. 2. Restart the webui service. 3. Verify the fix by testing the /open_file endpoint.
🔧 Temporary Workarounds
Restrict access to /open_file endpoint
allUse web server configuration to block or restrict access to the vulnerable endpoint
# Example for nginx: location /open_file { deny all; }
# Example for Apache: <Location /open_file> Require all denied </Location>
Network segmentation
allRestrict network access to the lollms-webui instance
# Use firewall rules to limit access to trusted IPs only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the webui
- Monitor logs for suspicious access patterns to the /open_file endpoint
🔍 How to Verify
Check if Vulnerable:
Send a crafted HTTP request to http://[target]/open_file with directory traversal payloads and check if directory contents are returned.Check Version:
Check the lollms-webui version in the web interface or configuration filesVerify Fix Applied:
Attempt the same directory traversal requests after patching; they should return error messages or be blocked entirely.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /open_file endpoint with directory traversal patterns
- Unusual access patterns to the webui from unexpected sources
Network Indicators:
- HTTP requests containing ../ or similar directory traversal sequences
- Multiple rapid requests to /open_file endpoint
SIEM Query:
source="webui.log" AND uri="/open_file" AND (uri="*../*" OR uri="*..\\*")