PHP ZipArchive::extractTo() Directory Traversal Vulnerability

2008.12.05
Credit: Stefan Esser
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: PHP ZipArchive::extractTo() Directory Traversal Vulnerability Release Date: 2008/12/04 Last Modified: 2008/12/04 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PHP 5 <= 5.2.6 Severity: PHP applications using ZipArchive::extractTo() to unpack zip archive files can be tricked to overwrite arbitrary files writable by the webserver which might result in PHP remote code execution Risk: Medium Vendor Status: Vendor has released PHP 5.2.7 which contains an updated ZipArchive::extractTo() method that flattens the filename stored inside zip archives before unpacking Reference: http://www.sektioneins.de/advisories/SE-2008-06.txt Overview: Quote from http://www.php.net "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." PHP comes with the zip extension that provides the ZipArchive class for zip archive manipulation. During an audit of a large scale PHP applications that uses ZipArchive::extractTo() to unpack user uploaded zip archives to temporary directories it was discovered that ZipArchive::extractTo() does not flatten the filenames stored inside the zip archives. Therefore it is possible to create zip archives containing relative filenames that when unpacked will create or overwrite files outside of the temporary directory. In the applications like the one in question this results in a remote PHP code execution vulnerability, because we are able to drop new PHP files in writable directories within the webserver's document root directory. Details: No details required. To exploit this an attacker just needs to create a zip archive containing filenames like ../../../../../../../../../../../var/www/wr_dir/evil.php An easy way to achieve that is to just store a file with a long name inside the zip archive and then change it with a hex editor Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 23. June 2008 - Notified security_at_php&#46;net 04. December 2008 - PHP developers released PHP 5.2.7 04. December 2008 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of PHP which also fixes additional vulnerabilities reported by third parties. Grab your copy at: http://www.php.net/get/php-5.2.7.tar.bz2/from/a/mirror CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser_at_sektioneins&#46;de> Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2008 SektionEins GmbH. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkk3qT4ACgkQSuF5XhWr2nho0QCgi6JABGlJUbf7Z3eR61J7KQMH JhoAnRBzGsfci/OsDBEVtv+UBE2UZ+I1 =X9Yi -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top