parisneo lollms-webui Denial-of-Service Vulnerability via Cross-Site Request Forgery in File Upload Endpoints

A denial-of-service vulnerability has been identified in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability can be exploited remotely through cross-site request forgery (CSRF). Although CSRF protection is in place to block file uploads, the application still processes multipart boundaries, which can lead to resource exhaustion. By adding extra characters to the multipart boundary, an attacker can manipulate the server into parsing each byte of the boundary, causing service disruption. The affected endpoints are '/upload_avatar', '/upload_app', and '/upload_logo'.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to become unavailable. The server's resources are exhausted as it processes the manipulated multipart boundaries, disrupting normal service operations.

Reproduction

The vulnerability can be reproduced by sending a multipart request with an excessively long boundary to one of the vulnerable endpoints. This can be done using a Python script that automates the process, appending a large number of characters to the boundary. Alternatively, the vulnerability can be exploited manually through a crafted HTML form that simulates a CSRF attack, targeting the same endpoints with similar boundary manipulations.