Free Photo & Video Vault Directory Traversal Vulnerability

A directory traversal vulnerability has been identified in Free Photo & Video Vault version 0.0.2. This vulnerability allows remote attackers to manipulate application path requests and access sensitive system files. Exploitation of this issue does not require privileges, enabling unauthorized users to retrieve environment variables and access restricted system paths.

Impact

Successful exploitation allows unauthorized access to sensitive system files and environment variables, potentially leading to a compromise of the mobile application and its data.

Reproduction

The vulnerability can be exploited by sending a request to the local web server with a manipulated path that includes directory traversal sequences. This can be done using a web browser or a tool that allows for custom HTTP requests. The injected path can be used to access sensitive files, such as the '/etc/passwd' file, which contains user account information.

Remediation

The vulnerability can be addressed by implementing proper validation and restriction of path variables in the application's web server configuration. This includes enforcing strict permissions for local and remote file access.