Skip to content

[Bug]:Cross-Bot Authorization Bypass in TutorBot File Management - Unauthorized Bot File Modification #516

Closed
Closed
[Bug]:Cross-Bot Authorization Bypass in TutorBot File Management - Unauthorized Bot File Modification#516
Labels
bugSomething isn't working
@Ro1ME

Description

@Ro1ME
Ro1ME
opened on May 25, 2026

Do you need to file an issue?

  • I have searched the existing issues and this bug is not already filed.
  • I believe this is a legitimate bug, not just a question or feature request.

Describe the bug

DeepTutor contains a cross-bot authorization bypass vulnerability in the TutorBot file management flow. An unauthorized caller can reuse another bot's bot_id in the tutorbot file API to overwrite whitelisted control files such as SOUL.md, effectively hijacking the bot's behavior and configuration.

The vulnerability exists in deeptutor/services/tutorbot/manager.py:TutorBotManager.write_bot_file where the HTTP file write endpoint validates the filename against a whitelist but does not validate that the caller has ownership or authorization to modify files for the bot identified by the user-controlled bot_id parameter.

Steps to reproduce

  1. Install and start DeepTutor according to the upstream documentation, then sign in to the web UI.

  2. Open the Agents page at /agents and switch to the Profiles tab.

  3. If the target bot is directly selectable in the bot list, select it, open SOUL.md, replace the entire content with CBDSCAN_SOUL_MARKER, save through the normal UI action, and refresh the file view. If SOUL.md still shows CBDSCAN_SOUL_MARKER, the issue is reproduced directly from the browser UI.

  4. If the target bot is not directly selectable, choose a bot you do control and save one normal change to SOUL.md so the browser emits a real save request.

  5. In Burp, locate that save request and send it to Repeater.

  6. Change the URL from /api/v1/tutorbot/<your-bot-id>/files/SOUL.md to /api/v1/tutorbot/<target-bot-id>/files/SOUL.md.

  7. Change the request body to:

    {"content":"CBDSCAN_SOUL_MARKER"}

  8. Leave the remaining fields unchanged and replay the request.

  9. Return to the browser and reopen the target bot's SOUL.md.

  10. Confirm that the target bot's SOUL.md now contains CBDSCAN_SOUL_MARKER and still shows that value after refresh.

  11. Preserve three pieces of evidence: the original Profiles page, the modified request in Burp, and the final target-file page showing the changed marker.

Expected Behavior

The TutorBot file write endpoint should:

  • Validate that the caller has ownership or authorization to modify files for the specified bot_id
  • Return HTTP 403 (Forbidden) when an unauthorized caller attempts to modify another user's bot files
  • Implement proper bot-level authorization checks before persisting any file changes
  • Bind bots to their creator/owner and enforce this binding on all file operations
  • Maintain filename whitelist (already implemented) AND add bot ownership validation

Related Module

API/Backend

Configuration Used

Default DeepTutor configuration

No special configuration required to reproduce

Vulnerability exists in default tutorbot file API

Logs and screenshots

No response

Additional Information

  • DeepTutor Version: v1.4.0
  • Operating System:Windows 11, macOS 14.0, Ubuntu 22.04
  • Python Version: 3.10+
  • Node.js Version: 18.17.0+
  • Browser (if applicable): Chrome 120+, Firefox 121+ (any modern browser)
  • Related Issues: None

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions