Wangxutech MoneyPrinterTurbo Path Traversal Vulnerability in API Download Endpoint

A path traversal vulnerability has been identified in Wangxutech MoneyPrinterTurbo version 1.2.6. The issue arises in the API download endpoint, allowing attackers to access arbitrary files on the server. This vulnerability can be exploited by sending requests to the '/api/v1/download/' URI with crafted file paths that traverse the directory structure, such as '/etc/passwd'.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including application secrets or system information.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/v1/download/' endpoint with a path traversal payload. For example, using '..' sequences to navigate up the directory structure and access files like '/etc/passwd' on Linux systems or 'C:\Windows\win.ini' on Windows systems.