BugTraq
Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal Feb 24 2006 01:57PM
h e (het_ebadi yahoo com)
Archive_Zipr (Zip file management class) Directory
traversal

This class provides handling of tar files in PHP.
It supports creating, listing, extracting and adding
to tar files.
Gzip support is available if PHP has the zlib
extension built-in or
loaded. Bz2 compression is also supported with the bz2
extension loaded.
http://www.phpconcept.net
http://www.zend.com/pear/whoiswho.php?pkg=Archive_Tar
http://pear.php.net/package/Archive_Tar

Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team) : admin (at) hamid (dot) ir. [email concealed]
The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
Tested on zip.lib.php v 1.1

Detail :
Directory traversal while extracting (.ZIP)

What is Directory traversal in archivers?

that allowed one to create malicous archive files,
which would overwrite system files or place dangerous
files in defined directory(example :shell.php in
wwwroot directory)
This could be abused by sending an archive to a local
user who would unzip / untar an archive, the archive
would then be able to overwrite any file to which the
user has write permissions, thus it could also be
abused if a system ran som antivirus software which
automatically opened archive files.

harmless exploit:
use HEAP [Hamid Evil Archive Pack]
you can find it from Hamid Network Security Team:

http://www.hamid.ir/tools/

want to know more ?
http://www.hamid.ir/paper

Signature

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus