Harry Yu MoneyPrinterTurbo Path Traversal Vulnerability in Video Management Functions
Vulnerability
A critical path traversal vulnerability has been identified in Harry Yu MoneyPrinterTurbo versions through 1.2.6. The issue arises in the video management functions 'download_video' and 'delete_video' within 'app/controllers/v1/video.py'. The vulnerability allows remote attackers to manipulate file paths and access arbitrary files on the system by exploiting inadequate path validation.
Impact
Exploitation of this vulnerability could lead to unauthorized access to the file system, allowing attackers to read sensitive files or download arbitrary files from the system.
Reproduction
The vulnerability can be reproduced by sending a request to the 'download_video' or 'delete_video' functions with a crafted 'file_path' parameter that includes relative path traversal sequences (such as '../'). This bypasses the application's directory restrictions and accesses files outside the intended directory.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.