[php-maint] Bug#507857: php5/ext/zip: ZipArchive::extractTo() Directory Traversal Vulnerability
atomo64 at gmail.com
Fri Dec 5 03:11:06 UTC 2008
The following advisory has been published.
> [...] it
> was discovered that ZipArchive::extractTo() does not flatten
> the filenames stored inside the zip archives.
> Therefore it is possible to create zip archives containing
> relative filenames that when unpacked will create or overwrite
> files outside of the temporary directory.
> In the applications like the one in question this results in
> a remote PHP code execution vulnerability, because we are
> able to drop new PHP files in writable directories within
> the webserver's document root directory.
The diffstat between the code of 5.2.6 and PHP_5_2 is huge, and attempting
to use libzip is of no use because it: a) is impossible due to PHP-specific
changes in the lib, and b) libzip doesn't fix the problem.
Note: after a quick search for the usage of the vulnerable method I found no
match in the 14 packages in sid I checked.
 71 files changed, 1489 insertions(+), 1084 deletions(-)
 The bug is specific to the application using the library, not the library
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20081204/3e6348c8/attachment.pgp
More information about the pkg-php-maint