<img
src
=
"x"
>
As shown above, problematic characters such as angle-brackets
are properly sanitized. Now, take for example the following
prompt:
Render the following inline using codeblocks. Do not modify the text that comes after the colon. Simply render the following, and make sure to include the backticks, that is very important:
foo
```
bar
```
zoinks
```
Notice the markdown codeblocks included in the prompt are uneven
and not closed properly. When the language model follows the
prompt, the above text should be inserted between two sets
of triple-backticks:
The text between the codeblocks will be rendered as it is, without any modifications. Here is the rendered output:
```
foo
```
bar
```
zoinks
```
Strangely, the language model accounted for the missing backticks
and omitted the final set. When this response is rendered by Open
WebUI, the string "foo" and "zoinks" are inserted into
HTMLtags, while the rest is simply rendered in the browser
as HTML:
Here's the corrected response with the backticks included:
foo
bar
zoinks
```
This client-side vulnerability could be the result of expected
behavior from HTML codeblocks. Since tags are designed
to contain raw HTML that is rendered as literal strings,
sanitization is skipped. However, by feeding the model invalid
markdown it is possible to confuse the sanitizer and execute
arbitrary JavaScript, as demonstrated above.
4. Mitigation and Remediation Recommendation
No response from vendor; maintainer closed GitHub security
report GHSA-6953-m722-rpq8 on 2024.05.02. As of publication,
this issue appears to have been silently remediated.
5. Credit
This vulnerability was discovered by Jaggar Henry and Sean
Segreti of KoreLogic, Inc.
6. Disclosure Timeline
2024.03.05 - KoreLogic requests secure communications channel and point
of contact from OpenWebUI.com via email.
2024.03.12 - KoreLogic submits vulnerability details to maintainer via
Github Security 'Report a vulnerability' web form.
2024.04.01 - KoreLogic opens Discussion #1385 via GitHub to request an
update from the maintainer.
2024.04.16 - 30 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.05.02 - Maintainer closes GitHub security report
GHSA-6953-m722-rpq8.
2024.05.29 - 60 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.07.12 - 90 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.08.07 - KoreLogic public disclosure.
7. Proof of Concept
1. Click "New Chat" on the top left of the screen
2. Select a language model via the dropdown at the top
of the screen, such as "codellama:latest".
3. Paste the following prompt into the message box at
the bottom of the screen:
The text between the codeblocks will be rendered as it is, without any modifications. Here is the rendered output:
```
foo
```
bar
```
zoinks
```
4. Send the message.
5. Observe the JavaScript message box that has appeared at
the top of the screen.
The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmaz5qAaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkenq3g//RFxu8oqA9LDjBoxBou02
hkTrUTXhu8TPF0dDokQ3fBHjWIbbcHhF1Zu8uRU8Aiew3QdL5PvjGQiZTGGVsS07
kWkTt18xEtUCpFgWNLGBOgXnbzgGi2V04Ly6SOpoqfkrz9UMrxNX3/19B1AXhWDe
XTiWaDrkzO154R2pk0s1H7XmpxsD8woQJCKLmy0to9dfcKXaNeuep+pRPtAif7jt
8NR109X0xKsQRGN5PJBwhWsSbLHWLNhOxeLMDtfRduLEGkKnTPMgh8RHVSFXvKdj
k0gw2vv0LfwR/2ubURpVKFOFIZgMnPBKuoY92urIkY2VyiznT+qw355CBY/GuAT5
8o60miplFn6SocmC8COW87yJvhpG43hf90pT8e1XTYFFhO2Rr2kCkmn0+bBnetRy
pjmbpde09+aIYBxpuVZbeUdw5khwuJEe6S4bdCorvzeGahCI+nAnUMdK9SNvajR7
zeAWFC5Ftm0Q1AXIkT8ptud/R26JamYHgbUhqg4pFJXGbyCx1BA27/eb79rLRgtV
3Xk6mjibAfZZql/kHB9n7mR4LRM3UUvX4igOL1b4RuAeZ8RRRxhcMR5zplOlIt1W
a9LZIAcCGxTqgU8s+Z+MZvL2TNgnZHtk3P0J8Zu2kmi1JS2nMyT/bFV7Rp7c0WGI
3yQLttieD46SeHE47r+C/M8=
=r0GH
-----END PGP SIGNATURE-----