Description
Voice Changer Version
MMVCServerSIO_win_onnxgpu-cuda_v.1.5.3.17b.zip
Operational System
Windows 10
GPU
NVIDIA GeForce RTX 2060 SUPER
Read carefully and check the options
- I've tried to Clear Settings
- Sample/Default Models are working
- I've tried to change the Chunk Size
- GUI was successfully launched
- I've read the tutorial
- I've tried to extract to another folder (or re-extract) the .zip file
Model Type
RVC
Issue Description
The backend (ie. the python system serving requests to 127.0.0.1:18888/info
, 127.0.0.1:18888/update_settings
, etc.) currently does no CORS validation (ie. validation of the Referer
header) for any requests made to it. (nor identity checks of any other sort)
The relevant code in the server where these requests are being received:
voice-changer/server/restapi/MMVC_Rest_Fileuploader.py
Lines 20 to 34 in 927bba6
What this means: Any website on the internet can just make whatever API calls it wants to the running W-Okada backend, including:
- Getting a list of all voices the visitor has installed. (and the currently selected one)
- Getting various information about the host machine. (graphics card model, memory amount, list of all audio input and output devices, etc.)
- Change any voice-changer settings that the user is able to change from the UI.
- Hijack the running backend to perform voice-changing operations using their GPU.
- Directly read the contents of all folders/files within
model_dir
. DEMO - Upload its own voice models to the
model_dir
folder. This is probably the most serious, since if there are any flaws in the model-loading or model-execution code of the server, a hand-crafted malicious model upload could exploit that flaw to perform operations on the wider host machine.
As linked above, I created a working codepen demonstrating how random sites can access the backend: https://codepen.io/Venryx/pen/NWJeKaz
If the W-Okada app is running when you open the link above, it will read and display the contents of the first model's params.json
file. (I can extend the demo to show various other endpoints being called if needed, but from the ones I've tested so far, all of them work.)
Application Screenshot
Here is an example output from the quick codepen.io demo I put together, where it reads the contents of the first model in model_dir
(one of the demo voices that the app starts with):
Logs on console
Not applicable. The problem is not that an error is occuring, but that an error is not occuring, ie. the backend is accepting requests from any website, without any identity verification. (for example, verifying that the Referer
header equals 127.0.0.1:18888
)