Applio Voice Conversion Tool Arbitrary File Write Vulnerability with Potential Remote Code Execution

A vulnerability allowing arbitrary file writes has been identified in Applio, a voice conversion tool, in versions through 3.2.8-bugfix. The issue resides in the 'inference.py' file, where user-supplied input can be used to write files to the server. This vulnerability can be exploited in conjunction with an unsafe deserialization flaw to achieve remote code execution on the Applio server.

Impact

Exploitation of this vulnerability can lead to arbitrary file writes on the Applio server. If the written files are crafted appropriately, this could be combined with the application's unsafe deserialization vulnerabilities to execute remote code on the server.

Reproduction

The vulnerability can be reproduced by uploading files through the 'bin_file_upload' and 'config_file_upload' parameters, while specifying a 'folder_name_input' that directs the files to a writable location on the server. This can be done via the application's user interface or by using a tool that interacts with the application's file upload features. The uploaded files will be copied to the specified folder, bypassing any restrictions on file types or contents.