Bug 474824 (CVE-2008-5658) - CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
Summary: CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-5658
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: CVE-2009-1272
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-05 14:48 UTC by Tomas Hoger
Modified: 2021-11-12 19:54 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-03-29 08:46:44 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0350 0 normal SHIPPED_LIVE Moderate: php security update 2009-04-14 17:14:37 UTC

Description Tomas Hoger 2008-12-05 14:48:59 UTC 
Stefan Esser reported a directory traversal flaw in PHP:

  PHP comes with the zip extension that provides the ZipArchive
  class for zip archive manipulation. During an audit of a large
  scale PHP applications that uses ZipArchive::extractTo() to
  unpack user uploaded zip archives to temporary directories it
  was discovered that ZipArchive::extractTo() does not flatten
  the filenames stored inside the zip archives.

  Therefore it is possible to create zip archives containing
  relative filenames that when unpacked will create or overwrite
  files outside of the temporary directory.

  In the applications like the one in question this results in
  a remote PHP code execution vulnerability, because we are
  able to drop new PHP files in writable directories within
  the webserver's document root directory.

Reference:
http://www.sektioneins.de/advisories/SE-2008-06.txt

Fixed upstream in 5.2.7:
http://www.php.net/ChangeLog-5.php#5.2.7

Upstream fix:
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.62&r2=1.63
Comment 1 Tomas Hoger 2008-12-05 14:52:36 UTC 
This issue does not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1.  PHP version in Red Hat Application Stack v2 is affected.

PHP 5.1.x (RHEL5 and Stack-v1) does not ship zip extension at all.

PHP 4.x (RHEL2.1 - RHEL4) contains zip extension, but it different from the one used in PHP 5.2+ (no ZipArchive class), and requires zzlib library.  This library is not shipped in any version of Red Hat Enterprise Linux, and there PHP packages in RHEL2.1 - RHEL4 are not built with zip extension.
Comment 3 Tomas Hoger 2008-12-18 09:06:11 UTC 
CVE id CVE-2008-5658 was assigned to this issue:

Directory traversal vulnerability in the ZipArchive::extractTo
function in PHP 5.2.6 and earlier allows context-dependent attackers
to write arbitrary files via a ZIP file with a file whose name
contains .. (dot dot) sequences.
Comment 4 errata-xmlrpc 2009-04-14 17:14:46 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
Comment 5 Fedora Update System 2009-05-30 02:34:00 UTC 
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-05-30 02:38:03 UTC 
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.