lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Mar 2022 22:19:03 +0200 From: Egidio Romano <research@...mainsecurity.com> To: Full Disclosure <fulldisclosure@...lists.org>, submissions@...ketstormsecurity.com Subject: [FD] [KIS-2022-05] Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability ------------------------------------------------- Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability ------------------------------------------------- [-] Software Link: http://www.joomla.org/ [-] Affected Versions: Version 4.1.0 and prior versions. Version 3.10.6 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /libraries/vendor/joomla/archive/src/Tar.php script. Specifically, into the Joomla\Archive\Tar::extract() method: 113. $this->getTarInfo($this->data); 114. 115. for ($i = 0, $n = \count($this->metadata); $i < $n; $i++) 116. { 117. $type = strtolower($this->metadata[$i]['type']); 118. 119. if ($type == 'file' || $type == 'unix file') 120. { 121. $buffer = $this->metadata[$i]['data']; 122. $path = Path::clean($destination . '/' . $this->metadata[$i]['name']); 123. 124. // Make sure the destination folder exists 125. if (!Folder::create(\dirname($path))) 126. { 127. throw new \RuntimeException('Unable to create destination folder ' . \dirname($path)); 128. } 129. 130. if (!File::write($path, $buffer)) 131. { 132. throw new \RuntimeException('Unable to write entry to file ' . $path); 133. } 134. } 135. } The vulnerability exists because the above code is using the filename within the Tar archive ($path variable created at line 122) to write the extracted file by using File::write() at line 130, without properly verifying the destination path. This could be exploited to carry out Zip Slip (or Path Traversal) attacks and write/overwrite arbitrary files, potentially resulting in execution of arbitrary PHP code or other dangerous impacts. In the Joomla! core, successful exploitation of this vulnerability would require administrator privileges. However, there could be third-party components using the Joomla\Archive\Archive::extract() method. In such cases, this might potentially be exploited also by unauthenticated attackers, depending on the context. [-] Solution: Upgrade to version 3.10.7, 4.1.1, or later. [-] Disclosure Timeline: [19/02/2021] - Vendor notified [21/02/2021] - Vulnerability acknowledged by the vendor [21/02/2021] - Vendor sent details about a proposed patch [21/02/2021] - Sent feedback about the patch correctness [29/03/2022] - Vendor update released [29/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2022-23793 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://developer.joomla.org/security-centre/870-20220301 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-05 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists