CVE-2024-1873
📋 TL;DR
The CVE-2024-1873 vulnerability in parisneo/lollms-webui allows attackers to perform path traversal attacks through an exposed /select_database endpoint. This enables directory creation anywhere on the system and database path manipulation, potentially causing denial of service and data loss. All users running vulnerable versions of lollms-webui are affected.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through directory creation in critical locations, permanent data loss by scattering database files, and server startup failure by overwriting critical files like HTTPS certificates.
Likely Case
Denial of service through directory creation in critical paths and partial data loss through database path manipulation.
If Mitigated
Limited impact with proper file permission restrictions and network segmentation, though the vulnerability remains exploitable.
🎯 Exploit Status
The exploit requires only HTTP requests to the vulnerable endpoint with crafted parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8
Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/02e829b5653a1aa5dbbe9413ec84f96caa1274e8
Restart Required: Yes
Instructions:
1. Update to the latest version of lollms-webui. 2. Apply commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8. 3. Restart the lollms-webui service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to the /select_database endpoint using firewall rules or web server configuration.
iptables -A INPUT -p tcp --dport [WEBUI_PORT] -m string --string "/select_database" --algo bm -j DROP
Application Firewall Rule
allBlock requests to the vulnerable endpoint at the application level.
Add rule to block /select_database endpoint in web server configuration (nginx/apache)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the lollms-webui instance from critical systems.
- Apply strict file system permissions to limit the application's write access to necessary directories only.
🔍 How to Verify
Check if Vulnerable:
Check if the /select_database endpoint accepts absolute paths by testing with a crafted request containing an absolute path parameter.Check Version:
Check the git commit hash or version string in the lollms-webui installation directory.Verify Fix Applied:
Verify that the /select_database endpoint now properly validates and restricts file paths to intended directories only.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /select_database with suspicious path parameters
- File system events showing directory creation in unexpected locations
Network Indicators:
- Unusual HTTP POST requests to /select_database endpoint
- Multiple rapid requests to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND uri_path="/select_database" AND (param="absolute_path" OR param=".." OR param="/")