Stefan Esser reported a directory traversal flaw in PHP:
PHP comes with the zip extension that provides the ZipArchive
class for zip archive manipulation. During an audit of a large
scale PHP applications that uses ZipArchive::extractTo() to
unpack user uploaded zip archives to temporary directories it
was discovered that ZipArchive::extractTo() does not flatten
the filenames stored inside the zip archives.
Therefore it is possible to create zip archives containing
relative filenames that when unpacked will create or overwrite
files outside of the temporary directory.
In the applications like the one in question this results in
a remote PHP code execution vulnerability, because we are
able to drop new PHP files in writable directories within
the webserver's document root directory.
Fixed upstream in 5.2.7:
This issue does not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 is affected.
PHP 5.1.x (RHEL5 and Stack-v1) does not ship zip extension at all.
PHP 4.x (RHEL2.1 - RHEL4) contains zip extension, but it different from the one used in PHP 5.2+ (no ZipArchive class), and requires zzlib library. This library is not shipped in any version of Red Hat Enterprise Linux, and there PHP packages in RHEL2.1 - RHEL4 are not built with zip extension.
CVE id CVE-2008-5658 was assigned to this issue:
Directory traversal vulnerability in the ZipArchive::extractTo
function in PHP 5.2.6 and earlier allows context-dependent attackers
to write arbitrary files via a ZIP file with a file whose name
contains .. (dot dot) sequences.
This issue has been addressed in following products:
Red Hat Web Application Stack for RHEL 5
Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.