1

I am just testing some web application. In this web application, I can upload some file at least as zip archive. I came to an idea to test, if I could place a file at a specific location I want. My first idea is to put some sort of hard coded paths in a zip archive. Now, with this I have several questions:

  1. Is this also true in zip archives: Can I put some hard coded paths within a zip archive?
  2. If 1. is true, which tool would be good for that? Are there any specific tools for that?
  3. Is there an official name for that sort of vulnerability?
devopsfun
  • 201
  • 2
  • 4
  • 2
    "relative paths" I think is what you are looking for. You want to upload and hope that when it gets unzipped, a file goes to a predictable place on the server, like `/etc/passwd`. – schroeder Mar 05 '18 at 20:34
  • @schroeder Yes, that was the situation I meant. – devopsfun Mar 05 '18 at 20:49
  • This question has 2 parts: can an archive utility hardcode paths, and that's very simple to look up in the documentation, and it's not a security question. The second part might be called "insecure direct object references" (an older OWASP Top 10 entry) – schroeder Mar 05 '18 at 21:02

1 Answers1

1

I could place a file at a specific location I want. My first idea is to put some sort of hard coded paths in a zip archive.

It's not difficult to do, most zip archivers have a command line argument to specify hard coded paths. Example: pkzip -add -path=root ...

These vulnerabilities have been well documented https://wiki.sei.cmu.edu/confluence/plugins/servlet/mobile?contentId=88487470#content/view/88487470 .

Failure to specify the hard coded path during extraction might be caught as an "(E9) No file(s) were processed" error. Source: https://support.pkware.com/plugins/servlet/mobile#content/view/6488122 .

Any decent software checks for these attempts, once the software correctly determines where you want to write to it's up to the operating system to allow it; if properly configured the access won't be allowed.

This idea is too old to succeed, it will be blocked on many levels.

A user can't elevate their privilege by uploading a file or the web application has a serious security flaw.

Rob
  • 530
  • 1
  • 3
  • 11