Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Potential Security Issues with PHP's ZipArchive

Tags:

php

zip

I want to allow members the option of uploading content using a zip file. Once uploaded, I want to use PHP's ZipArchive class to decompress the zip file contents to a directory, and then move the files into our system.

I'm concerned about the potential security risks though, and I can't find any documentation on php.net. The first (Well, the only) risk that comes to mind, is someone creating a zip file with relative paths like "../../etc/passwd" (If they assume I decompress the file in /tmp/somedir).

I'm actually having a hard time creating a relative path in a zip file, so I can't test if such a thing would be possible. I also can't find any way to extract the contents of the zip file using ZipArchive, and have it ignore directories (Decompress all the files, but don't create the directory structure inside the zip).

Can anyone tell me if such an exploit is possible, and/or how to ignore the directory structure in a zip file using ZipArchive?

like image 578
mellowsoon Avatar asked Jul 12 '11 15:07

mellowsoon


3 Answers

Interesting question, but I urge you to go about this a different way. I would highly recommend you run your web process with least privileges in a chroot jail. Assuming you do that, the WORST thing that can happen is your website get's defaced, and then you restore a backup and do some forensics to plug that specific hole. New holes are discovered constantly, you will have a very difficult time completely securing your website going after hunches like these. Minimizing the attacker's sandbox really goes a long way.

like image 181
Josh Avatar answered Oct 14 '22 11:10

Josh


I had the same concerns and had a look at the PHP 5.3 source code where I found this:

/* Clean/normlize the path and then transform any path (absolute or relative)
         to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt)
 */
virtual_file_ex(&new_state, file, NULL, CWD_EXPAND TSRMLS_CC);
path_cleaned =  php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
if(!path_cleaned) {
    return 0;
}

Looks fine to me. Checkout PHP and see ./ext/zip/php_zip.c for details.

like image 3
adonig Avatar answered Oct 14 '22 11:10

adonig


You need to make sure that the extracted contents are not served directly by your application server. So if someone has a php file in his archive that he cant execute it via your webserver.

Another thing is you should keep things safe from being included in user generated content. But this should be considered also without having zip archives in place.

like image 1
fyr Avatar answered Oct 14 '22 12:10

fyr