[php-maint] Bug#507857: php5/ext/zip: ZipArchive::extractTo() Directory Traversal Vulnerability

Raphael Geissert atomo64 at gmail.com
Fri Dec 5 03:11:06 UTC 2008

Source: php5
Version: 5.2.0-1
Severity: important
Tags: security


The following advisory has been published.

> [...] it
>   was discovered that ZipArchive::extractTo() does not flatten
>   the filenames stored inside the zip archives.
>   Therefore it is possible to create zip archives containing
>   relative filenames that when unpacked will create or overwrite
>   files outside of the temporary directory.
>   In the applications like the one in question this results in
>   a remote PHP code execution vulnerability, because we are
>   able to drop new PHP files in writable directories within
>   the webserver's document root directory.

The diffstat between the code of 5.2.6 and PHP_5_2 is huge[2], and attempting 
to use libzip is of no use because it: a) is impossible due to PHP-specific 
changes in the lib, and b) libzip doesn't fix the problem[3].

Note: after a quick search for the usage of the vulnerable method I found no 
match in the 14 packages in sid I checked.

[1] http://www.sektioneins.de/advisories/SE-2008-06.txt
[2] 71 files changed, 1489 insertions(+), 1084 deletions(-)
[3] The bug is specific to the application using the library, not the library 

Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20081204/3e6348c8/attachment.pgp 

More information about the pkg-php-maint mailing list