unzoo Traversal Arbitrary File Overwrite

2004-10-15T00:00:00
ID OSVDB:11231
Type osvdb
Reporter doubles(doubles@hush.com)
Modified 2004-10-15T00:00:00

Description

Vulnerability Description

The unzoo utility has been reported to have a vulnerability related to traversal style attacks (/../) and uncompressing an archive. As reported, this would allow an attacker to overwrite any file the victim user has permission to write to. unzoo (or tar or zip) allows full/absolute paths in archives and could be used in the same fashion, regardless of using traversal notation. This is a non-issue.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

The unzoo utility has been reported to have a vulnerability related to traversal style attacks (/../) and uncompressing an archive. As reported, this would allow an attacker to overwrite any file the victim user has permission to write to. unzoo (or tar or zip) allows full/absolute paths in archives and could be used in the same fashion, regardless of using traversal notation. This is a non-issue.

References:

Security Tracker: 1011673 Secunia Advisory ID:12857 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0451.html CVE-2004-2190 Bugtraq ID: 11417