CVE-2024-2356

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post("/reinstall_extension") route. This vulnerability allows attackers to inject a malicious name parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of data.name directly with lollmsElfServer.lollms_paths.extensions_zoo_path and its use as an argument for ExtensionBuilder().build_extension(). The server's handling of the __init__.py file in arbitrary locations, facilitated by importlib.machinery.SourceFileLoader, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to 0.0.0.0 or in headless mode. No user interaction is required for exploitation.