Path traveresal in iTunesRPC-Remastered

Vulnerability

In iTunesRPC-Remastered, a Discord Rich Presence utility for iTunes on Windows, versions affected by the commits 3fa8bbf, 1bda8d1, 12a9590, 428b361, 34fb194, b521636, ef3583e, and f5efa6a are vulnerable. The vulnerability exists in server.py where user-supplied filenames are passed directly to the remove() function without sanitization, leading to a path traversal condition (CWE-22, CWE-23, CWE-36, CWE-73, CWE-99).

Exploitation

An attacker who can send crafted HTTP requests to the running application can control the filename argument to the remove() function. By supplying a path with traversal sequences (e.g., ../), the attacker can cause deletion of files outside the intended directory. No authentication is required, and the only limiting factor is the file system permissions of the process.

Impact

Successful exploitation allows an attacker to delete arbitrary files on the system that the process has write access to. This is a severe integrity impact, potentially leading to data loss or service disruption. Confidentiality and availability are not directly affected, but the deletion of critical files can indirectly affect them.

Mitigation

The vulnerability was patched in commit 1eb1e54 by importing secure_filename from werkzeug.utils and wrapping the removal call with werkzeug.utils.secure_filename(filename). Users should upgrade to any commit after 1eb1e54 (i.e., the latest source from the repository). As a workaround, users can manually apply the same code change to their local installation [1][2].