From: Egidio Romano <research () karmainsecurity com>
Date: Sat, 03 Dec 2022 15:31:55 +0100
------------------------------------------------------------------ Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability ------------------------------------------------------------------ [-] Software Link: https://www.drupal.org/project/h5p [-] Affected Versions: Version 2.0.0-alpha2 and prior versions. Version 7.x-1.50 and prior versions. [-] Vulnerability Description:
The vulnerability is located within the H5PValidator::isValidPackage()
method. This implements the following check in order to skip any file or
folder starting with a dot or underscore within the uploaded h5p
archive:
891. $fileName = $zip->statIndex($i)['name']; 892. 893. if (preg_match('/(^[._]|/[._])/', $fileName) !== 0) { 894. continue; // Skip any file or folder starting with a . or _ 894. }
This regex check should be enough to prevent path traversal attacks
through zipped filenames (Zip Slip attacks), because it checks for the
string “/.” within the filename, thus preventing directory traversal
attacks. However, the vulnerability exists if Drupal is running on a
Windows server, because in this case the attacker can provide a
malicious h5p archive containing a filename with path traversal
sequences like “......”, which would bypass the above regex check.
This can be exploited to write (or overwrite) semi-arbitrary files in
the file system via directory traversal sequences, potentially leading
to Stored Cross-Site Scripting (XSS) and other kind of attacks.
[-] Solution: No official solution is currently available. [-] Disclosure Timeline: [22/11/2021] - Vendor notified [28/02/2022] - Vendor proposed a possible patch
[28/02/2022] - Vendor notified about the ineffective patch, provided a
fix suggestion
[01/03/2022] - Vendor fixed the previous patch
[30/03/2022] - Asked update about the public disclosure and release of a
patch, no response
[22/11/2022] - After one year still no official solution available [03/12/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://security.drupal.org/node/175968 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-06 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability Egidio Romano (Dec 03)