text-generation-webui Local File Inclusion Vulnerability in Character Picture Upload

A local file inclusion (LFI) vulnerability has been identified in text-generation-webui, an open-source web interface for running large language models. This vulnerability exists in versions through 3.13, specifically within the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This exploitation allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information.

Impact

Exploitation of this vulnerability allows for local file inclusion, where an attacker can read arbitrary files on the server. This could lead to the disclosure of sensitive information such as system configurations and credentials.

Reproduction

To reproduce this vulnerability, upload a text file containing a symbolic link to a sensitive file, such as C:/Windows/win.ini, through the character picture upload feature. After the upload is processed, the contents of the linked file will be displayed via the web interface.

Remediation

Users are advised to update to version 3.14, where this vulnerability has been fixed.