Florensiawidjaja BioinfoMCP Path Traversal Vulnerability in Upload Endpoint

A path traversal vulnerability has been identified in Florensia Widjaja BioinfoMCP versions up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. The issue resides in the Upload function of the Upload Endpoint, specifically within the file bioinfo_mcp_platform/app.py. The vulnerability allows for arbitrary file writing by manipulating the 'filename' attribute of uploaded files, enabling attackers to overwrite files outside the intended directory. This issue can be exploited remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the designated upload directory, potentially overwriting critical files or disrupting application functionality. The uploaded files can also be used as input for other processes within the application, amplifying the impact.

Reproduction

The vulnerability can be reproduced by sending a multipart file upload to the '/upload' endpoint. The 'filename' field can be manipulated to include absolute paths or traversal sequences, directing the uploaded file to unintended locations on the server.

Remediation

It is recommended to restrict the upload functionality to trusted users until the vulnerability is addressed. Additionally, directory separators and absolute path indicators should be removed from filenames before saving. Using server-generated names for uploaded files, while keeping the original name as metadata, can also mitigate the issue.