PEAK XOOPS - uploaded zip extracting security in englishin japanese

Archive | RSS |
PHP
PHP : uploaded zip extracting security
Poster : GIJOE on 2006-04-06 10:39:12 (15021 reads)

in englishin japanese
Though I've released "zip file upload" modules, the library PEAR::Archive_Zip which is used by the modules has two security holes.

(1) Directory Traversal with extracting a zip into the file system
(2) It is easy to create a zip exhausting server's memery with extracting.

Against (1), don't extract a zip into the file system directly.


	$reader = new Archive_Zip( (upload_tmp_file) ) ;
	$files = $reader->extract( array( 'extract_as_string' => true ) ) ;

You can get extracted bodies as an array of $files. Then, save them into files manually and carefully.

But, there are no clue to solve the problem of (2), in fact.

Thus, you cannot allow anonymous users to upload zip.
When I implement a feature of zip archive into myAlbum-P, it must be a function in admin side.

Since there are no CSRF threat with HTTP-upload, we should care "direct attacks" only.

0 comments
Printer friendly page Send this story to a friend

Comments list

View more comments...
Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!