Mini Mouse Path Traversal Vulnerability Allowing Arbitrary File Access

A path traversal vulnerability has been identified in Mini Mouse version 9.2.0. This vulnerability allows remote attackers to access arbitrary system files and directories by sending crafted HTTP requests. Exploitation of this vulnerability could lead to the retrieval of sensitive files, such as win.ini, and the ability to list contents of system directories like C:\Users\Public, by manipulating file and path parameters.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive system files and directories, potentially leading to further exploitation or information disclosure.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request with a crafted file parameter that includes a path traversal sequence. The server response will include the contents of the requested file, demonstrating successful exploitation. Additionally, the vulnerability can be exploited by sending a POST request to the '/op=get_file_list' endpoint with a path parameter that lists the contents of the specified directory.