Fonoster VoiceServer Directory Traversal Vulnerability Allowing Arbitrary File Read

A local file inclusion vulnerability has been identified in Fonoster VoiceServer versions 0.5.5 prior to 0.6.1. The issue allows for directory traversal attacks that can read arbitrary files through the /sounds/:file and /tts/:file VoiceServer endpoints. This vulnerability arises from insecure handling of user input in the file serving functionality, specifically in the serveFiles function located in mods/voice/src/utils.ts.

Impact

Exploitation of this vulnerability allows for local file inclusion, where an attacker can traverse the directory structure and access sensitive files on the server, such as the passwd file in Unix-based systems.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /sounds or /tts endpoint with a crafted file parameter that includes directory traversal sequences, such as '../', to access files outside the intended directory.

Remediation

Users are advised to implement input validation to ensure the file parameter does not contain path traversal attempts, use path normalization to remove '../' sequences, and check that the resolved path remains within the intended directory. Currently, there is no official patch available for this vulnerability.