[php-maint] Bug#507857: php5/ext/zip: ZipArchive::extractTo() Directory Traversal Vulnerability
Raphael Geissert
atomo64 at gmail.com
Fri Dec 5 03:11:06 UTC 2008
Source: php5
Version: 5.2.0-1
Severity: important
Tags: security
Hi,
The following advisory has been published.
SE-2008-06.txt[1]:
> [...] it
> was discovered that ZipArchive::extractTo() does not flatten
> the filenames stored inside the zip archives.
>
> Therefore it is possible to create zip archives containing
> relative filenames that when unpacked will create or overwrite
> files outside of the temporary directory.
>
> In the applications like the one in question this results in
> a remote PHP code execution vulnerability, because we are
> able to drop new PHP files in writable directories within
> the webserver's document root directory.
The diffstat between the code of 5.2.6 and PHP_5_2 is huge[2], and attempting
to use libzip is of no use because it: a) is impossible due to PHP-specific
changes in the lib, and b) libzip doesn't fix the problem[3].
Note: after a quick search for the usage of the vulnerable method I found no
match in the 14 packages in sid I checked.
[1] http://www.sektioneins.de/advisories/SE-2008-06.txt
[2] 71 files changed, 1489 insertions(+), 1084 deletions(-)
[3] The bug is specific to the application using the library, not the library
itself.
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20081204/3e6348c8/attachment.pgp
More information about the pkg-php-maint
mailing list