Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal H5P Module 2.0.0 Zip Slip Traversal

🗓️ 05 Dec 2022 00:00:00Reported by EgiX, karmainsecurity.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 324 Views

Drupal H5P Module 2.0.0 Zip Slip Vulnerabilit

Code
`------------------------------------------------------------------  
Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability  
------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.drupal.org/project/h5p  
  
  
[-] Affected Versions:  
  
Version 2.0.0-alpha2 and prior versions.  
Version 7.x-1.50 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is located within the H5PValidator::isValidPackage()   
method. This implements the following check in order to skip any file or   
folder starting with a dot or underscore within the uploaded h5p   
archive:  
  
891. $fileName = $zip->statIndex($i)['name'];  
892.  
893. if (preg_match('/(^[\._]|\/[\._])/', $fileName) !== 0) {  
894. continue; // Skip any file or folder starting with a . or _  
894. }  
  
This regex check should be enough to prevent path traversal attacks   
through zipped filenames (Zip Slip attacks), because it checks for the   
string “/.” within the filename, thus preventing directory traversal   
attacks. However, the vulnerability exists if Drupal is running on a   
Windows server, because in this case the attacker can provide a   
malicious h5p archive containing a filename with path traversal   
sequences like “..\..\..”, which would bypass the above regex check.   
This can be exploited to write (or overwrite) semi-arbitrary files in   
the file system via directory traversal sequences, potentially leading   
to Stored Cross-Site Scripting (XSS) and other kind of attacks.  
  
  
[-] Solution:  
  
No official solution is currently available.  
  
  
[-] Disclosure Timeline:  
  
[22/11/2021] - Vendor notified  
[28/02/2022] - Vendor proposed a possible patch  
[28/02/2022] - Vendor notified about the ineffective patch, provided a   
fix suggestion  
[01/03/2022] - Vendor fixed the previous patch  
[30/03/2022] - Asked update about the public disclosure and release of a   
patch, no response  
[22/11/2022] - After one year still no official solution available  
[03/12/2022] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has not assigned a CVE identifier for this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Other References:  
  
https://security.drupal.org/node/175968  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2022-06  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Dec 2022 00:00Current
drupalh5pzip slipvulnerabilitypath traversalwindows serverstored cross-site scriptingdisclosure timelinecve referenceegidio romano
324