Executive Summary

This vulnerability is a critical security flaw in parisneo/lollms versions up to 2.2.0 that allows any authenticated user to accept or reject friend requests that belong to other users.

The issue arises because the function responsible for responding to friend requests (`respond_request()` in `backend/routers/friends.py`) does not properly check if the user making the request is authorized to do so. Specifically, the API endpoint `/api/friends/requests/{friendship_id}` fails to verify whether the authenticated user is part of the friendship or the intended recipient of the friend request.

This lack of authorization check enables an Insecure Direct Object Reference (IDOR) attack, where users can manipulate the system to act on friend requests that are not theirs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access and privacy violations by allowing users to manipulate friend requests of others without permission.

It can also facilitate social engineering attacks by enabling attackers to control social connections or interactions between users.

Overall, it compromises the security and integrity of the friend request handling mechanism, potentially exposing users to unwanted or malicious interactions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether an authenticated user can respond to friend requests that do not belong to them via the `/api/friends/requests/{friendship_id}` endpoint.

A practical approach is to attempt to accept or reject friend requests using different user accounts and verify if unauthorized actions are allowed.

For example, you can use curl commands to simulate these requests:

• curl -X POST -H "Authorization: Bearer <token_of_user_A>" https://<your_lollms_instance>/api/friends/requests/<friendship_id_of_user_B> -d '{"action": "accept"}'
• If the request succeeds for a friendship_id not involving user A, the system is vulnerable.

Monitoring logs for unauthorized friend request responses or unexpected HTTP 200 responses to such requests can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade parisneo/lollms to version 2.2.0 or later, where the vulnerability has been fixed.

This update includes authorization checks in the `respond_request` function that ensure only users involved in a friendship can respond to friend requests, and prevent users from responding to their own requests.

If upgrading immediately is not possible, restrict access to the `/api/friends/requests/{friendship_id}` endpoint to trusted users only and monitor for suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized users to accept or reject friend requests on behalf of other users, leading to unauthorized access and privacy violations.

Such unauthorized access and privacy breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data and user consent.

By enabling Insecure Direct Object Reference (IDOR) attacks, the vulnerability undermines the confidentiality and integrity of user interactions, potentially exposing personal information without proper authorization.

Useful 0 Not Useful 0