Parisneo Lollms-Webui Path Traversal Vulnerability in Upload Function Allowing Arbitrary File Deletion

A critical path traversal vulnerability has been identified in Parisneo Lollms-Webui version 12 (Strawberry). The issue arises in the 'upload_app' function, which lacks proper input validation for the 'filename' parameter. This oversight enables attackers to manipulate file paths and delete any file or directory on the system. The vulnerability was introduced in a version prior to the latest release, v14, and has been fixed in that version.

Impact

Exploitation of this vulnerability allows for the arbitrary deletion of files or directories on the system.

Reproduction

To reproduce this vulnerability, send a POST request to the '/upload_app' endpoint with a 'client_id' and a 'file' parameter. The 'file' parameter should include a crafted filename that traverses directories, such as '../../../../../etc/passwd', and the file should be uploaded as a zip archive containing a 'description.yaml' file. The 'query' parameter can also be included in the request.

Remediation

Users are advised to update to Parisneo Lollms-Webui version 14, where this vulnerability has been fixed.