Huangjunsen0406 Xiaozhi-Mcphub Path Traversal Vulnerability in DXT Upload Handling

A path traversal vulnerability has been identified in Huangjunsen0406 Xiaozhi-Mcphub versions through 1.0.3. The issue arises in the DXT upload handler, specifically within the 'src/controllers/dxtController.ts' file. The vulnerability allows an attacker to manipulate the 'manifest.name' value in the uploaded DXT file, causing extracted files to be placed outside the intended directory. This issue can be exploited remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for unauthorized file writes or extractions to be controlled by the attacker, potentially overwriting existing files or disrupting application functionality. The vulnerability also introduces a path traversal issue, where files can be extracted to locations outside the designated upload directory.

Reproduction

To reproduce this vulnerability, upload a DXT file containing a crafted 'manifest.json' that includes a 'name' value designed to traverse directories, such as '../../' followed by a target directory name. After uploading, the extracted files will appear in the specified directory, demonstrating the path traversal exploit.

Remediation

It is recommended to sanitize the 'manifest.name' value before using it in file paths, ensuring it does not contain traversal sequences or absolute path indicators. Additionally, the upload directory should be monitored and managed to prevent unauthorized access or exploitation.