SpeedProject .ZIP and .JAR archives directory traversal

speedproject-zip-jar-directory-traversal (24909) The risk level is classified as MediumMedium Risk

Description:

SpeedProject SpeedCommander could allow a remote attacker to traverse directories on the system. A remote attacker could create malicious .ZIP or .JAR archive files which, once the archive is opened, would allow the attacker to traverse directories and overwrite arbitrary files on a victim's system.

Platforms Affected:

  • SpeedProject, SpeedCommander 11.01 Build 4450
  • SpeedProject, Squeeze 5.10
  • SpeedProject, ZipStar 5.10

Remedy:

No remedy available as of July 4, 2009.

Consequences:

File Manipulation

References:

  • BugTraq Mailing List, Fri Feb 24 2006 - 08:00:33 CST, SpeedCommander 11.0 & ZipStar 5.1 & Squeez 5.1 Directory traversal at http://archives.neohapsis.com/archives/bugtraq/2006-02/0445.html.
  • SpeedProject Web site, Product listing at http://www.speedproject.de/enu/download.html.
  • BID-16807: Multiple SpeedProject Applications Remote Directory Traversal Vulnerability
  • CVE-2006-0890: Directory traversal vulnerability in SpeedProject Squeez 5.1, as used in (1) ZipStar 5.1 and (2) SpeedCommander 11.01.4450, allows remote attackers to overwrite arbitrary files via unspecified manipulations in a (1) JAR or (2) ZIP archive.
  • OSVDB ID: 23465: SpeedProject Products ZIP/JAR Archive Traversal Arbitrary File Overwrite
  • SA19006: SpeedProject Products ZIP and JAR Directory Traversal
  • VUPEN/ADV-2006-0731: SpeedProject Products ZIP and JAR Directory Traversal Vulnerability

Reported:

Feb 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page