SE-2008-06.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
SektionEins GmbH  
www.sektioneins.de  
  
-= Security Advisory =-  
  
  
Advisory: PHP ZipArchive::extractTo() Directory Traversal Vulnerability  
Release Date: 2008/12/04  
Last Modified: 2008/12/04  
Author: Stefan Esser [stefan.esser[at]sektioneins.de]  
  
Application: PHP 5 <= 5.2.6  
Severity: PHP applications using ZipArchive::extractTo() to unpack zip  
archive files can be tricked to overwrite arbitrary files  
writable by the webserver which might result in PHP remote  
code execution  
Risk: Medium  
Vendor Status: Vendor has released PHP 5.2.7 which contains an updated  
ZipArchive::extractTo() method that flattens the filename  
stored inside zip archives before unpacking  
Reference: http://www.sektioneins.de/advisories/SE-2008-06.txt  
  
  
Overview:  
  
Quote from http://www.php.net  
"PHP is a widely-used general-purpose scripting language that  
is especially suited for Web development and can be embedded  
into HTML."  
  
PHP comes with the zip extension that provides the ZipArchive  
class for zip archive manipulation. During an audit of a large  
scale PHP applications that uses ZipArchive::extractTo() to  
unpack user uploaded zip archives to temporary directories it  
was discovered that ZipArchive::extractTo() does not flatten  
the filenames stored inside the zip archives.  
  
Therefore it is possible to create zip archives containing  
relative filenames that when unpacked will create or overwrite  
files outside of the temporary directory.  
  
In the applications like the one in question this results in  
a remote PHP code execution vulnerability, because we are  
able to drop new PHP files in writable directories within  
the webserver's document root directory.  
  
  
Details:  
  
No details required. To exploit this an attacker just needs to  
create a zip archive containing filenames like  
  
../../../../../../../../../../../var/www/wr_dir/evil.php  
  
An easy way to achieve that is to just store a file with a long  
name inside the zip archive and then change it with a hex editor  
  
  
Proof of Concept:  
  
SektionEins GmbH is not going to release a proof of concept  
exploit for this vulnerability.  
  
  
Disclosure Timeline:  
  
23. June 2008 - Notified [email protected]  
04. December 2008 - PHP developers released PHP 5.2.7  
04. December 2008 - Public Disclosure  
  
  
Recommendation:  
  
It is recommended to upgrade to the latest version of PHP  
which also fixes additional vulnerabilities reported by  
third parties.  
  
Grab your copy at:  
http://www.php.net/get/php-5.2.7.tar.bz2/from/a/mirror  
  
  
CVE Information:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
not assigned a name to this vulnerability yet.  
  
  
GPG-Key:  
  
pub 1024D/15ABDA78 2004-10-17 Stefan Esser <[email protected]>  
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78  
  
  
Copyright 2008 SektionEins GmbH. All rights reserved.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.8 (Darwin)  
  
iEYEARECAAYFAkk3qT4ACgkQSuF5XhWr2nho0QCgi6JABGlJUbf7Z3eR61J7KQMH  
JhoAnRBzGsfci/OsDBEVtv+UBE2UZ+I1  
=X9Yi  
-----END PGP SIGNATURE-----  
`