U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-1522

Change History

New CVE Received by NIST 3/30/2024 2:15:45 PM

Action Type Old Value New Value
Added CVSS V3 

								
							
							
								
							
						
								
							
								
huntr.dev AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

								
								
					

					

						Added
						CWE
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
huntr.dev CWE-352

								
								
					

					

						Added
						Description
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.

So what I just did is :
- First removed the cors configuration that allows everyone to access it :
before:
```python
    sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins="*", ping_timeout=1200, ping_interval=30)  # Enable CORS for every one
```
after:
```python
    cert_file_path = lollms_paths.personal_certificates/"cert.pem"
    key_file_path = lollms_paths.personal_certificates/"key.pem"
    if os.path.exists(cert_file_path) and os.path.exists(key_file_path):
        is_https = True
    else:
        is_https = False        

    # Create a Socket.IO server
    sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=config.allowed_origins+[f"https://localhost:{config['port']}" if is_https else f"http://localhost:{config['port']}"], ping_timeout=1200, ping_interval=30)  # Enable CORS for selected origins
```

- Second, I have updated lollms to have two modes (a headless mode and a ui mode).
And updated the /execute_code to block if the server is headless or is exposed
```python
@router.post("/execute_code")
async def execute_code(request: Request):
    """
    Executes Python code and returns the output.

    :param request: The HTTP request object.
    :return: A JSON response with the status of the operation.
    """
    if lollmsElfServer.config.headless_server_mode:
        return {"status":False,"error":"Code execution is blocked when in headless mode for obvious security reasons!"}

    if lollmsElfServer.config.host=="0.0.0.0":
        return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvipous reasons!"}

    try:
        data = (await request.json())
        code = data["code"]
        discussion_id = int(data.get("discussion_id","unknown_discussion"))
        message_id = int(data.get("message_id","unknown_message"))
        language = data.get("language","python")
        


        if language=="python":
            ASCIIColors.info("Executing python code:")
            ASCIIColors.yellow(code)
            return execute_python(code, discussion_id, message_id)
        if language=="javascript":
            ASCIIColors.info("Executing javascript code:")
            ASCIIColors.yellow(code)
            return execute_javascript(code, discussion_id, message_id)
        if language in ["html","html5","svg"]:
            ASCIIColors.info("Executing javascript code:")
            ASCIIColors.yellow(code)
            return execute_html(code, discussion_id, message_id)
        
        elif language=="latex":
            ASCIIColors.info("Executing latex code:")
            ASCIIColors.yellow(code)
            return execute_latex(code, discussion_id, message_id)
        elif language in ["bash","shell","cmd","powershell"]:
            ASCIIColors.info("Executing shell code:")
            ASCIIColors.yellow(code)
            return execute_bash(code, discussion_id, message_id)
        elif language in ["mermaid"]:
            ASCIIColors.info("Executing mermaid code:")
            ASCIIColors.yellow(code)
            return execute_mermaid(code, discussion_id, message_id)
        elif language in ["graphviz","dot"]:
            ASCIIColors.info("Executing graphviz code:")
            ASCIIColors.yellow(code)
            return execute_graphviz(code, discussion_id, message_id)
        return {"status": False, "error": "Unsupported language", "execution_time": 0}
    except Exception as ex:
        trace_exception(ex)
        lollmsElfServer.error(ex)
        return {"status":False,"error":str(ex)}
```

I also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.


All updates will be in V 9.1 


Again, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
huntr.dev https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b [No types assigned]

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
huntr.dev https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71 [No types assigned]