Bug 474824 (CVE-2008-5658) - CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
Summary: CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
Alias: CVE-2008-5658
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: CVE-2009-1272
TreeView+ depends on / blocked
Reported: 2008-12-05 14:48 UTC by Tomas Hoger
Modified: 2021-11-12 19:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 08:46:44 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0350 0 normal SHIPPED_LIVE Moderate: php security update 2009-04-14 17:14:37 UTC

Description Tomas Hoger 2008-12-05 14:48:59 UTC
Stefan Esser reported a directory traversal flaw in PHP:

  PHP comes with the zip extension that provides the ZipArchive
  class for zip archive manipulation. During an audit of a large
  scale PHP applications that uses ZipArchive::extractTo() to
  unpack user uploaded zip archives to temporary directories it
  was discovered that ZipArchive::extractTo() does not flatten
  the filenames stored inside the zip archives.

  Therefore it is possible to create zip archives containing
  relative filenames that when unpacked will create or overwrite
  files outside of the temporary directory.

  In the applications like the one in question this results in
  a remote PHP code execution vulnerability, because we are
  able to drop new PHP files in writable directories within
  the webserver's document root directory.


Fixed upstream in 5.2.7:

Upstream fix:

Comment 1 Tomas Hoger 2008-12-05 14:52:36 UTC
This issue does not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1.  PHP version in Red Hat Application Stack v2 is affected.

PHP 5.1.x (RHEL5 and Stack-v1) does not ship zip extension at all.

PHP 4.x (RHEL2.1 - RHEL4) contains zip extension, but it different from the one used in PHP 5.2+ (no ZipArchive class), and requires zzlib library.  This library is not shipped in any version of Red Hat Enterprise Linux, and there PHP packages in RHEL2.1 - RHEL4 are not built with zip extension.

Comment 3 Tomas Hoger 2008-12-18 09:06:11 UTC
CVE id CVE-2008-5658 was assigned to this issue:

Directory traversal vulnerability in the ZipArchive::extractTo
function in PHP 5.2.6 and earlier allows context-dependent attackers
to write arbitrary files via a ZIP file with a file whose name
contains .. (dot dot) sequences.

Comment 4 errata-xmlrpc 2009-04-14 17:14:46 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html

Comment 5 Fedora Update System 2009-05-30 02:34:00 UTC
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-05-30 02:38:03 UTC
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.