Vociferous Unauthenticated Remote Path Traversal Vulnerability Allowing Arbitrary File Write

A critical vulnerability allowing unauthenticated remote path traversal has been identified in Vociferous versions prior to 4.4.2. The issue resides in the export_file route of src/api/system.py, where the application accepts a JSON payload with a filename and content. The API fails to validate the filename before it is processed by the backend's filesystem logic. This lack of validation, combined with an overly permissive CORS configuration, allows external attackers to bypass the intended UI file dialog. By exploiting directory traversal sequences, attackers can manipulate the application into writing arbitrary data to any location accessible by the current user's permissions. This vulnerability can lead to unauthorized access and modification of sensitive files, and in some cases, remote code execution.

Impact

Exploitation of this vulnerability allows for unauthenticated remote path traversal, enabling attackers to write arbitrary files to locations accessible by the current user. This could result in overwriting critical files or, in certain scenarios, executing malicious code, particularly if the written file is a script that gets executed by the system.

Reproduction

To reproduce this vulnerability, first ensure that Vociferous is running on a different user account than the one being used to exploit the vulnerability. Once Vociferous is active, send a POST request to the application's export_file API endpoint. Include a JSON payload that specifies a filename using directory traversal sequences to navigate to a sensitive location, such as the root directory. After the request is sent, the application will prompt to save the file. Once saved, the traversed file will appear in the specified location, confirming the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, it is recommended to implement input sanitization by wrapping the filename parameter in a function that removes path information and traversal sequences. Additionally, establish API authentication requirements, such as a Bearer Token or API Key, to prevent unauthorized access. Before writing files to disk, validate the final path to ensure it does not escape the designated export directory. Finally, restrict the CORS policy to allow only trusted origins.