IZArc Multiple Archive Traversal Arbitrary File Write

2006-04-24T12:02:36
ID OSVDB:24895
Type osvdb
Reporter Claus Berghamer()
Modified 2006-04-24T12:02:36

Description

Vulnerability Description

IZArc contains a flaw that allows a remote attacker to extract files to arbitrary locations on the filesystem, possibly overwriting system binaries and other sensitive or confidential information. The issue is due to IZArc not properly sanitizing pathnames for archived files, specifically pathnames that include directory traversal style attacks (../../).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

IZArc contains a flaw that allows a remote attacker to extract files to arbitrary locations on the filesystem, possibly overwriting system binaries and other sensitive or confidential information. The issue is due to IZArc not properly sanitizing pathnames for archived files, specifically pathnames that include directory traversal style attacks (../../).

References:

Vendor URL: http://www.izarc.org/ Secunia Advisory ID:19791 FrSIRT Advisory: ADV-2006-1488 CVE-2006-2006 Bugtraq ID: 17664