0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Drupal H5P Module 2.0.0 Zip Slip Traversal Vulnerability
------------------------------------------------------------------ Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability ------------------------------------------------------------------ [-] Software Link: https://www.drupal.org/project/h5p [-] Affected Versions: Version 2.0.0-alpha2 and prior versions. Version 7.x-1.50 and prior versions. [-] Vulnerability Description: The vulnerability is located within the H5PValidator::isValidPackage() method. This implements the following check in order to skip any file or folder starting with a dot or underscore within the uploaded h5p archive: 891. $fileName = $zip->statIndex($i)['name']; 892. 893. if (preg_match('/(^[\._]|\/[\._])/', $fileName) !== 0) { 894. continue; // Skip any file or folder starting with a . or _ 894. } This regex check should be enough to prevent path traversal attacks through zipped filenames (Zip Slip attacks), because it checks for the string “/.” within the filename, thus preventing directory traversal attacks. However, the vulnerability exists if Drupal is running on a Windows server, because in this case the attacker can provide a malicious h5p archive containing a filename with path traversal sequences like “..\..\..”, which would bypass the above regex check. This can be exploited to write (or overwrite) semi-arbitrary files in the file system via directory traversal sequences, potentially leading to Stored Cross-Site Scripting (XSS) and other kind of attacks. [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [22/11/2021] - Vendor notified [28/02/2022] - Vendor proposed a possible patch [28/02/2022] - Vendor notified about the ineffective patch, provided a fix suggestion [01/03/2022] - Vendor fixed the previous patch [30/03/2022] - Asked update about the public disclosure and release of a patch, no response [22/11/2022] - After one year still no official solution available [03/12/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://security.drupal.org/node/175968 # 0day.today [2024-09-28] #