Drupal H5P Module 2.0.0 Zip Slip Traversal

2022.12.05
Credit: EgiX
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

------------------------------------------------------------------ Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability ------------------------------------------------------------------ [-] Software Link: https://www.drupal.org/project/h5p [-] Affected Versions: Version 2.0.0-alpha2 and prior versions. Version 7.x-1.50 and prior versions. [-] Vulnerability Description: The vulnerability is located within the H5PValidator::isValidPackage() method. This implements the following check in order to skip any file or folder starting with a dot or underscore within the uploaded h5p archive: 891. $fileName = $zip->statIndex($i)['name']; 892. 893. if (preg_match('/(^[\._]|\/[\._])/', $fileName) !== 0) { 894. continue; // Skip any file or folder starting with a . or _ 894. } This regex check should be enough to prevent path traversal attacks through zipped filenames (Zip Slip attacks), because it checks for the string “/.” within the filename, thus preventing directory traversal attacks. However, the vulnerability exists if Drupal is running on a Windows server, because in this case the attacker can provide a malicious h5p archive containing a filename with path traversal sequences like “..\..\..”, which would bypass the above regex check. This can be exploited to write (or overwrite) semi-arbitrary files in the file system via directory traversal sequences, potentially leading to Stored Cross-Site Scripting (XSS) and other kind of attacks. [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [22/11/2021] - Vendor notified [28/02/2022] - Vendor proposed a possible patch [28/02/2022] - Vendor notified about the ineffective patch, provided a fix suggestion [01/03/2022] - Vendor fixed the previous patch [30/03/2022] - Asked update about the public disclosure and release of a patch, no response [22/11/2022] - After one year still no official solution available [03/12/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://security.drupal.org/node/175968 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-06


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top