BitZipper extract directory traversal

bitzipper-extract-directory-traversal (26626) The risk level is classified as MediumMedium Risk

Description:

BitZipper could allow a remote attacker to traverse directories. Archived files compressed with RAR, TAR, ZIP, JAR or .GZ are not validated when extracted. A remote attacker could create a malicious archive with specially-crafted path names containing "dot dot" sequences (../) which, once extracted, could allow the attacker to traverse directories and overwrite files on the system.

Platforms Affected:

  • Bitberry, BitZipper 4.1.2 and prior

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Obtain Information

References:

  • BitZipper Web site, Unzip any compressed file easily. WinZip, PKZip, WinAce and WinRAR compatible. at http://www.bitzipper.com/.
  • BugTraq Mailing List, Mon May 22 2006 - 05:59:10 CDT, BitZipper Archive Extraction Directory traversal at http://archives.neohapsis.com/archives/bugtraq/2006-05/0430.html.
  • BID-18065: BitZipper Remote Directory Traversal Vulnerability
  • CVE-2006-2520: Directory traversal vulnerability in BitZipper 4.1.2 SR-1 and earlier allows remote attackers to create files in arbitrary directories via a .. (dot dot) in the filename of a file that is stored in a (1) RAR (.rar), (2) TAR (.tar), (3) ZIP (.zip), (4) GZ (.gz), or (5) JAR (.jar) archive.
  • OSVDB ID: 25693: BitZipper Multiple Archive Traversal Arbitrary File Write
  • SA20207: BitZipper Multiple Archive Directory Traversal Vulnerability
  • SECTRACK ID: 1016132: BitZipper Directory Traversal in Processing RAR/TAR/ZIP/GZ/JAR Archives Lets Remote Users Write Files to Arbitrary Locations
  • VUPEN/ADV-2006-1907: BitZipper Multiple Archive Handling Client-Side Directory Traversal Vulnerability

Reported:

May 22, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page