Dazeb Markdown-Downloader Path Traversal Vulnerability

A path traversal vulnerability has been identified in Dazeb Markdown-Downloader, affecting versions up to commit 3d4394b34b6c99d81af817623af55e3384df5a6a. The vulnerability arises in the 'download_markdown', 'list_downloaded_files', and 'create_subdirectory' functions within 'src/index.ts'. The server accepts user-controlled directory parameters and uses them to construct filesystem paths without proper validation, allowing attackers to manipulate the paths and perform unauthorized file operations outside the intended download directory. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for path traversal, enabling unauthorized read, write, and list operations on files outside the designated download directory.

Reproduction

To reproduce this vulnerability, first call the 'download_markdown' function with a crafted 'subdirectory' parameter that includes '../' sequences to traverse directories. The server will write the file to the manipulated path, bypassing intended directory restrictions. Next, use the 'list_downloaded_files' function with the same 'subdirectory' parameter to read files from the traversed path, demonstrating unauthorized file access. Finally, call 'create_subdirectory' with a controlled 'subdirectoryName' to create a directory at the manipulated path, further illustrating the path traversal impact.