CVE-2024-9216
📋 TL;DR
This authentication bypass vulnerability in ChuanhuChatGPT allows attackers to read and delete other users' chat histories by manipulating username parameters in HTTP requests. Any deployment of the affected software version is vulnerable. The vulnerability stems from client-side username validation rather than secure server-side authentication.
💻 Affected Systems
- gaizhenbiao/ChuanhuChatGPT
📦 What is this software?
Chuanhuchatgpt by Gaizhenbiao
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user chat histories, including potential exposure of sensitive information, intellectual property, or personal data, with ability to delete all chat records.
Likely Case
Unauthorized access to specific users' chat histories, potentially exposing private conversations and sensitive information shared within the chat interface.
If Mitigated
Limited impact if proper authentication controls and input validation are implemented, restricting access to authorized users only.
🎯 Exploit Status
Exploitation requires understanding of the API endpoints and ability to craft HTTP requests with manipulated username parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 3856d4f
Vendor Advisory: https://huntr.com/bounties/21e54c3f-e2d7-423b-9890-1f0cb99af4dd
Restart Required: No
Instructions:
1. Update to the latest version of ChuanhuChatGPT. 2. Verify the fix by checking that username validation occurs server-side. 3. Test authentication mechanisms thoroughly.
🔧 Temporary Workarounds
Implement server-side authentication
allModify the application to validate usernames server-side using secure session tokens or cookies instead of client-provided parameters.
🧯 If You Can't Patch
- Implement network segmentation to isolate the vulnerable application from sensitive data and other systems.
- Deploy a web application firewall (WAF) with rules to detect and block username parameter manipulation attempts.
🔍 How to Verify
Check if Vulnerable:
Test if you can access another user's chat history by modifying the username parameter in API requests to the get_model function.Check Version:
Check git commit hash or version number against vulnerable commit 3856d4fVerify Fix Applied:
Verify that username parameters are validated server-side and cannot be manipulated to access other users' data.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to chat history endpoints
- Multiple username parameter changes in short timeframes
- Access attempts with usernames different from authenticated user
Network Indicators:
- HTTP requests with manipulated username parameters
- Unusual API call patterns to chat history endpoints
SIEM Query:
source="web_logs" AND (endpoint="get_model" OR endpoint="chat_history") AND username != authenticated_user