8nite MetaTrader 4 MCP Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in 8nite MetaTrader 4 MCP version 1.0.0. The issue arises in the 'sync_ea_from_file' component, specifically within the 'CallToolRequestSchema' function of 'src/index.ts'. The vulnerability allows for arbitrary file writing by manipulating the 'ea_name' argument, which is concatenated into file paths without proper validation. This flaw can be exploited remotely, potentially leading to the overwriting or creation of files at arbitrary locations on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, with a high impact on the application's integrity. Overwriting application files, logs, or configurations can disrupt the MCP server or related workflows. Additionally, the vulnerability could be used to read arbitrary local files via the 'sync_ea_from_file' tool, creating a confidentiality risk.

Reproduction

To reproduce this vulnerability, invoke the 'sync_ea' tool with a traversal payload in the 'ea_name' argument. This will create a file in the server's working directory, bypassing the intended 'ea-strategies' directories. The 'sync_ea_from_file' tool can also be used to read arbitrary files accessible to the server process and write their contents to a user-selected location, demonstrating the vulnerability's impact.

Remediation

No official patch is available at this time. However, it is recommended to treat the 'ea_name' argument as an identifier rather than a path, rejecting any traversal sequences or absolute paths. Similar validations should be applied to the 'sync_ea_from_file' tool and in the Windows HTTP bridge to prevent exploitation.