DevDojo Voyager Path Traversal Vulnerability Allowing Arbitrary File Deletion or Access

A path traversal vulnerability has been identified in DevDojo Voyager versions through 1.8.0, specifically within the VoyagerCompassController. This vulnerability allows authenticated users with administrative privileges to manipulate file paths and delete or access arbitrary files on the server. The issue arises from insufficient input validation, enabling exploitation by crafting malicious requests that traverse outside of intended directories.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion or access of sensitive files on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative rights can send a GET request to the '/admin/compass' endpoint, including a crafted 'del' parameter that specifies the path of the file to be deleted. The 'del' parameter can be base64-encoded to bypass simple checks, allowing the deletion of arbitrary files. Alternatively, the 'download' parameter can be used to retrieve the contents of a specified log file, which can then be accessed through the victim's browser.