Summary
Missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to.
Details
The missing validation allows malicious AiScript code to prefix a URL with ../ to step out of the /api directory, thereby being able to make requests to other endpoints, such as /files, /url, and /proxy.
PoC
// This doesn't actually do anything, but it shows that it's making the
// request with directory traversal if you check devtools
Mk:api('../proxy/avatar.webp?url=https%3A%2F%2Finsertdomain.name%2Fassets%2Ftwemoji%2F72x72%2F1f44b.png&avatar=1', {})Impact
Hard to say how much a malicious actor could do with this, given that they already have access to the other API endpoints, but its better to be safe.
warriordog Finder
Summary
Missing validation in
Mk:apiallows malicious AiScript code to access additional endpoints that it isn't designed to have access to.Details
The missing validation allows malicious AiScript code to prefix a URL with
../to step out of the/apidirectory, thereby being able to make requests to other endpoints, such as/files,/url, and/proxy.PoC
Impact
Hard to say how much a malicious actor could do with this, given that they already have access to the other API endpoints, but its better to be safe.