Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Potential Security Issues with PHP's ZipArchive

Tags:

php

zip

I want to allow members the option of uploading content using a zip file. Once uploaded, I want to use PHP's ZipArchive class to decompress the zip file contents to a directory, and then move the files into our system.

I'm concerned about the potential security risks though, and I can't find any documentation on php.net. The first (Well, the only) risk that comes to mind, is someone creating a zip file with relative paths like "../../etc/passwd" (If they assume I decompress the file in /tmp/somedir).

I'm actually having a hard time creating a relative path in a zip file, so I can't test if such a thing would be possible. I also can't find any way to extract the contents of the zip file using ZipArchive, and have it ignore directories (Decompress all the files, but don't create the directory structure inside the zip).

Can anyone tell me if such an exploit is possible, and/or how to ignore the directory structure in a zip file using ZipArchive?

like image 578
mellowsoon Avatar asked Jul 12 '11 15:07

mellowsoon

3 Answers

Interesting question, but I urge you to go about this a different way. I would highly recommend you run your web process with least privileges in a chroot jail. Assuming you do that, the WORST thing that can happen is your website get's defaced, and then you restore a backup and do some forensics to plug that specific hole. New holes are discovered constantly, you will have a very difficult time completely securing your website going after hunches like these. Minimizing the attacker's sandbox really goes a long way.

like image 181
Josh Avatar answered Oct 14 '22 11:10

Josh

I had the same concerns and had a look at the PHP 5.3 source code where I found this:

/* Clean/normlize the path and then transform any path (absolute or relative)
         to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt)
 */
virtual_file_ex(&new_state, file, NULL, CWD_EXPAND TSRMLS_CC);
path_cleaned =  php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
if(!path_cleaned) {
    return 0;
}

Looks fine to me. Checkout PHP and see ./ext/zip/php_zip.c for details.

like image 3
adonig Avatar answered Oct 14 '22 11:10

adonig

You need to make sure that the extracted contents are not served directly by your application server. So if someone has a php file in his archive that he cant execute it via your webserver.

Another thing is you should keep things safe from being included in user generated content. But this should be considered also without having zip archives in place.

like image 1
fyr Avatar answered Oct 14 '22 12:10

fyr
Sign in to Comment

Related questions

PostgreSQL + PHP + UTF8 = invalid byte sequence for encoding
Cookies/Sessions login system
How do I use the subscriber option?
PHP PECL_HTTP vs cURL Extension
Regular expression to match ">", "<", "&" chars that appear inside XML nodes
Plug and play login system?
Version control for PHP Development [closed]
How to Prevent Concurrent User Logins in PHP/MySQL Site?
PHP Unit Testing with Zend Auth and Zend ACL
Function/method argument validation standards
RPC frameworks available?
PDO::ATTR_AUTOCOMMIT ignores non-transactional INSERT/UPDATE
Error establishing a database connection on wordpress
Unit testing sockets
java vs php benchmark [closed]
PHP: scandir() is too slow
Resolving incorrect character encoding when displaying MySQL database results after upgrade to PHP 5.3
php: looking for pdf library which supports html->pdf [duplicate]
Why can't you have require* statements in a class definition?
Dealing with duplication in a message queue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!