A Zip Slip vulnerability was identified in the plugin upload feature (uploadPlugin.php). During the extraction of ZIP archives, file paths are not properly validated, allowing an attacker to include malicious relative paths (e.g., ../) in order to write files outside the intended extraction directory.
This weakness enables bypassing file management security mechanisms and allows arbitrary file writes on the server’s filesystem, including the deployment of malicious PHP scripts such as webshells.
Limited technical details disclosedNo additional technical details are being disclosed at this stage in order to reduce the potential impact these vulnerabilities could have on self-hosted instances. For the moment, this will remain the case until we receive approval from ANSSI. This article is not an exploitation tutorial, and I disclaim all responsibility for any malicious use or damage resulting from the information provided.
To mitigate the Zip Slip vulnerability, it is essential to validate and normalize each file path before extraction. The idea is to ensure that every file in the archive strictly remains within the intended directory and that no malicious relative or absolute path (../ or /etc/passwd) can be used to write outside the secure directory.
The archive should be processed file by file, ignoring any suspicious entries.
Code<?php
$zip = new ZipArchive();
$zipFile = 'uploaded_plugin.zip';
$extractTo = '/path/to/safe/directory/';
if ($zip->open($zipFile) === TRUE) {
for ($i = 0; $i < $zip->numFiles; $i++) {
$entry = $zip->getNameIndex($i);
// Normaliser le chemin et vérifier qu'il reste dans le répertoire sécurisé
$entryPath = realpath($extractTo . DIRECTORY_SEPARATOR . $entry);
if ($entryPath === false || strpos($entryPath, realpath($extractTo)) !== 0) {
// Chemin invalide, ignorer l’entrée
continue;
}
// Extraire l’entrée en toute sécurité
copy('zip://' . $zipFile . '#' . $entry, $entryPath);
}
$zip->close();
} else {
throw new Exception("Impossible d'ouvrir l'archive ZIP");
}
?>