Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing
The fileID field from Manifest.db (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path: mvt-ios decrypt-backup (decrypt.py): file_id is used to construct both read source and write destination paths. Traversal sequences in file_id cause decrypted content to be written to an arbitrary location on the analyst's filesystem. mvt-ios check-backup (via _get_backup_file_from_id() …