CVE-2024-2548
📋 TL;DR
A path traversal vulnerability in parisneo/lollms-webui allows attackers to read arbitrary files on Windows systems by exploiting inadequate path validation. This affects users running the latest version of LoLLMs on Windows platforms. Attackers can access sensitive system files like win.ini through specially crafted requests.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading of sensitive files like passwords, configuration files, SSH keys, or database credentials, potentially leading to lateral movement or data exfiltration.
Likely Case
Unauthorized access to sensitive application or system files containing configuration data, user information, or credentials.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
Exploitation demonstrated with win.ini file reading; simple HTTP requests to the vulnerable endpoint can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5
Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/49b0332e98d42dd5204dda53dee410b160106265
Restart Required: Yes
Instructions:
1. Update to version 9.5 or later via git pull or package manager. 2. Restart the LoLLMs service. 3. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to the vulnerable endpoint using firewall rules or web server configuration.
# Example: Block external access to /user_infos/ endpoint
# Use appropriate firewall or reverse proxy configuration
Endpoint Disablement
allTemporarily disable the vulnerable /user_infos/ endpoint if not required.
# Modify server configuration to remove or comment out the vulnerable endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable system from sensitive networks.
- Deploy web application firewall (WAF) rules to block path traversal patterns in requests.
🔍 How to Verify
Check if Vulnerable:
Check if running version before 9.5 on Windows and test the /user_infos/ endpoint with path traversal payloads.Check Version:
Check the application version in the web interface or configuration files, or run: python -c "import lollms; print(lollms.__version__)"Verify Fix Applied:
Update to version 9.5+, restart service, and test that path traversal attempts to sensitive files are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /user_infos/ with unusual paths or traversal patterns (../, ..\)
- Access to sensitive system files through application logs
Network Indicators:
- Unusual file access patterns from the application server
- Requests containing path traversal sequences to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND (url_path="/user_infos/*" AND (url_path="*../*" OR url_path="*..\*"))🔗 References
- https://github.com/parisneo/lollms-webui/commit/49b0332e98d42dd5204dda53dee410b160106265
- https://huntr.com/bounties/65979513-db0d-46fd-9977-fcd73bcd8a41
- https://github.com/parisneo/lollms-webui/commit/49b0332e98d42dd5204dda53dee410b160106265
- https://huntr.com/bounties/65979513-db0d-46fd-9977-fcd73bcd8a41
