mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[GH-ISSUE #8884] Security Issue - Prompts Import - Improper input validation - CSPT #118616
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @maxcx on GitHub (Jan 24, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8884
Summary
When a user imports untrusted prompts, improper input validation occurs for the 'command' field. This allows malicious users to exploit vulnerabilities, such as injecting HTML tags or using directory traversal sequences (e.g., ../) to conduct Client-Side Path Traversal (CSPT) attacks targeting the DELETE method. Attackers can craft specially designed prompts that cannot be removed after import and, in the worst-case scenario, may execute DELETE requests on arbitrary endpoints.
PoC/Details - Client-Side Path Traversal (CSPT)
[{"command":"/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ENDPOINT_xxexxxDEFINED_BY_BAD_GUY","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]Behavior on Interaction:
When the user clicks on the prompt: This triggers a GET request due to CSPT:
INFO: 127.0.0.1:63151 - "GET /ENDPOINT_DEFINED_BY_BAD_GUY HTTP/1.1" 200 OKWhen the user tries to delete the prompt: A DELETE request is triggered, targeting an arbitrary endpoint:
INFO: 127.0.0.1:63221 - "DELETE /ENDPOINT_DEFINED_BY_BAD_GUY/delete HTTP/1.1" 405 Method Not AllowedPoC/Details - Improper Neutralization of Input During Web Page Generation
[{"command":"/some<IMG SRC=http:cert.cx>HTMLTAGs","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]When the user opens the prompt and hovers over the name, the malicious HTML tag is executed, leading to unwanted behavior.
"Activate this command by typing \"/{{COMMAND}}\" to chat input.": "",Impact
Persistent Malicious Prompts:
Attackers can create prompts that cannot be deleted, potentially disrupting application functionality.
Arbitrary Endpoint Manipulation:
Through CSPT, attackers can manipulate DELETE requests to target unintended resources, resulting in data loss or other unintended side effects.
Potential Cross-Site Scripting (XSS):
Improper neutralization of input during web page generation allows attackers to execute arbitrary HTML or JavaScript code, leading to potential XSS attacks.
Proposal of patch
Add to backend/open_webui/routers/prompts.py validation of command field before inserting
Thanks
Guys... big thanks for your open source project. I really appreciate your hard job.
Maksymilian Arciemowicz
@tjbck commented on GitHub (Jan 25, 2025):
Have you actually tried this? Our backend has a sanitisation logic that will block this request.
@MaksymilianA commented on GitHub (Jan 25, 2025):
@tjbck Please check screenshot. I've pulled last changes and it's still possible. You have right that manualy it's not possible. BUT special crafted prompt can create such issue
if you know where is the validation.. i can check