[GH-ISSUE #8884] Security Issue - Prompts Import - Improper input validation - CSPT #135032

Closed
opened 2026-05-25 01:34:36 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @maxcx on GitHub (Jan 24, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8884

Summary
When a user imports untrusted prompts, improper input validation occurs for the 'command' field. This allows malicious users to exploit vulnerabilities, such as injecting HTML tags or using directory traversal sequences (e.g., ../) to conduct Client-Side Path Traversal (CSPT) attacks targeting the DELETE method. Attackers can craft specially designed prompts that cannot be removed after import and, in the worst-case scenario, may execute DELETE requests on arbitrary endpoints.

PoC/Details - Client-Side Path Traversal (CSPT)
[{"command":"/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ENDPOINT_xxexxxDEFINED_BY_BAD_GUY","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]

Behavior on Interaction:

When the user clicks on the prompt: This triggers a GET request due to CSPT:
INFO: 127.0.0.1:63151 - "GET /ENDPOINT_DEFINED_BY_BAD_GUY HTTP/1.1" 200 OK

When the user tries to delete the prompt: A DELETE request is triggered, targeting an arbitrary endpoint:
INFO: 127.0.0.1:63221 - "DELETE /ENDPOINT_DEFINED_BY_BAD_GUY/delete HTTP/1.1" 405 Method Not Allowed

PoC/Details - Improper Neutralization of Input During Web Page Generation
[{"command":"/some<IMG SRC=http:cert.cx>HTMLTAGs","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]

When the user opens the prompt and hovers over the name, the malicious HTML tag is executed, leading to unwanted behavior.

"Activate this command by typing \"/{{COMMAND}}\" to chat input.": "",

Impact
Persistent Malicious Prompts:
Attackers can create prompts that cannot be deleted, potentially disrupting application functionality.

Arbitrary Endpoint Manipulation:
Through CSPT, attackers can manipulate DELETE requests to target unintended resources, resulting in data loss or other unintended side effects.

Potential Cross-Site Scripting (XSS):
Improper neutralization of input during web page generation allows attackers to execute arbitrary HTML or JavaScript code, leading to potential XSS attacks.

Proposal of patch
Add to backend/open_webui/routers/prompts.py validation of command field before inserting

@router.post("/create", response_model=Optional[PromptModel])
async def create_new_prompt(
    request: Request, form_data: PromptForm, user=Depends(get_verified_user)
):
    if user.role != "admin" and not has_permission(
        user.id, "workspace.prompts", request.app.state.config.USER_PERMISSIONS
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )
    
    if not re.match(r'^[a-zA-Z0-9\-\/]+$', form_data.command):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Invalid command: Only alphanumeric characters and hyphens are allowed.",
        )


    prompt = Prompts.get_prompt_by_command(form_data.command)
    if prompt is None:
        prompt = Prompts.insert_new_prompt(user.id, form_data)

Thanks
Guys... big thanks for your open source project. I really appreciate your hard job.
Maksymilian Arciemowicz

Originally created by @maxcx on GitHub (Jan 24, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/8884 **Summary** When a user imports untrusted prompts, improper input validation occurs for the 'command' field. This allows malicious users to exploit vulnerabilities, such as injecting HTML tags or using directory traversal sequences (e.g., ../) to conduct Client-Side Path Traversal (CSPT) attacks targeting the DELETE method. Attackers can craft specially designed prompts that cannot be removed after import and, in the worst-case scenario, may execute DELETE requests on arbitrary endpoints. **PoC/Details - Client-Side Path Traversal (CSPT)** `[{"command":"/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ENDPOINT_xxexxxDEFINED_BY_BAD_GUY","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]` Behavior on Interaction: When the user clicks on the prompt: This triggers a GET request due to CSPT: `INFO: 127.0.0.1:63151 - "GET /ENDPOINT_DEFINED_BY_BAD_GUY HTTP/1.1" 200 OK` When the user tries to delete the prompt: A DELETE request is triggered, targeting an arbitrary endpoint: `INFO: 127.0.0.1:63221 - "DELETE /ENDPOINT_DEFINED_BY_BAD_GUY/delete HTTP/1.1" 405 Method Not Allowed` PoC/Details - Improper Neutralization of Input During Web Page Generation `[{"command":"/some<IMG SRC=http:cert.cx>HTMLTAGs","user_id":"996a76ca-14df-410c-b0ec-39f5248d4474","title":"blabla","content":"blabla","timestamp":1736719368,"access_control":null,"user":{"id":"996a76ca-14df-410c-b0ec-39f5248d4474","name":"admin","email":"cx@localhost","role":"admin","profile_image_url":"blabla"}}]` When the user opens the prompt and hovers over the name, the malicious HTML tag is executed, leading to unwanted behavior. `"Activate this command by typing \"/{{COMMAND}}\" to chat input.": "",` **Impact** Persistent Malicious Prompts: Attackers can create prompts that cannot be deleted, potentially disrupting application functionality. Arbitrary Endpoint Manipulation: Through CSPT, attackers can manipulate DELETE requests to target unintended resources, resulting in data loss or other unintended side effects. Potential Cross-Site Scripting (XSS): Improper neutralization of input during web page generation allows attackers to execute arbitrary HTML or JavaScript code, leading to potential XSS attacks. **Proposal of patch** Add to backend/open_webui/routers/prompts.py validation of command field before inserting ``` @router.post("/create", response_model=Optional[PromptModel]) async def create_new_prompt( request: Request, form_data: PromptForm, user=Depends(get_verified_user) ): if user.role != "admin" and not has_permission( user.id, "workspace.prompts", request.app.state.config.USER_PERMISSIONS ): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.UNAUTHORIZED, ) if not re.match(r'^[a-zA-Z0-9\-\/]+$', form_data.command): raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid command: Only alphanumeric characters and hyphens are allowed.", ) prompt = Prompts.get_prompt_by_command(form_data.command) if prompt is None: prompt = Prompts.insert_new_prompt(user.id, form_data) ``` **Thanks** Guys... big thanks for your open source project. I really appreciate your hard job. Maksymilian Arciemowicz
Author
Owner

@tjbck commented on GitHub (Jan 25, 2025):

Have you actually tried this? Our backend has a sanitisation logic that will block this request.

<!-- gh-comment-id:2613717581 --> @tjbck commented on GitHub (Jan 25, 2025): Have you actually tried this? Our backend has a sanitisation logic that will block this request.
Author
Owner

@MaksymilianA commented on GitHub (Jan 25, 2025):

@tjbck Please check screenshot. I've pulled last changes and it's still possible. You have right that manualy it's not possible. BUT special crafted prompt can create such issue

Image Image

if you know where is the validation.. i can check

<!-- gh-comment-id:2613937456 --> @MaksymilianA commented on GitHub (Jan 25, 2025): @tjbck Please check screenshot. I've pulled last changes and it's still possible. You have right that manualy it's not possible. BUT special crafted prompt can create such issue <img width="943" alt="Image" src="https://github.com/user-attachments/assets/6c283780-3b19-4b0d-9922-8db6c8425ff9" /> <img width="1117" alt="Image" src="https://github.com/user-attachments/assets/5b5a9078-b69e-450e-a5c6-4a5b842e8e5c" /> if you know where is the validation.. i can check
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#135032