LangBot Cross-Directory File Upload Vulnerability Allowing Arbitrary File Uploads

A cross-directory file upload vulnerability has been identified in LangBot versions 4.1.0 prior to 4.3.5. This vulnerability allows authorized attackers to exploit the '/api/v1/files/documents' interface for arbitrary file uploads. The interface lacks strict restrictions on the storage directory, enabling the upload of potentially harmful files to specific system directories. Exploitation could lead to severe consequences, such as system takeover.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads to critical system directories, potentially allowing for execution of malicious scripts or access to sensitive information, such as SSH private keys.

Reproduction

To reproduce this vulnerability, log into the LangBot system and access the '/api/v1/files/documents' interface. Upload a file with a specially crafted filename that includes an absolute path to a sensitive directory, such as the Windows Startup folder or a Linux autostart directory. Once the file is uploaded, it will be executed automatically or conditionally, depending on the file type and location.

Remediation

Users can update to LangBot version 4.3.5, where this vulnerability has been fixed.