Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Input Validation Flaw in ZipArchive::extractTo() May Let Remote Users Overwrite Files on the Target System
SecurityTracker Alert ID:  1021303
SecurityTracker URL:
CVE Reference:   CVE-2008-5658   (Links to External Site)
Updated:  Dec 23 2008
Original Entry Date:  Dec 4 2008
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.2.6 and prior versions
Description:   A vulnerability was reported in PHP. A remote user may be able to create or overwrite files on the target system.

The ZipArchive::extractTo() function does not properly validate user-supplied input. A remote user can supply a zip archive containing a specially crafted file name to PHP applications that use the function to cause the target application to create or overwrite files on target system with the privileges of the web service.

A remote user may be able to exploit this to execute arbitrary code on the target system with the privileges of the web service.

A demonstration exploit file name is provided:


The vendor was notified on June 23, 2008.

Stefan Esser of SektionEins GmbH reported this vulnerability.

The original advisory is available at:

Impact:   A remote user can create or overwrite files on the target system with the privileges of the web service.
Solution:   The vendor has issued a fixed version (5.2.7), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 14 2009 (Red Hat Issues Fix) PHP Input Validation Flaw in ZipArchive::extractTo() May Let Remote Users Overwrite Files on the Target System
Red Hat has released a fix for Red Hat Application Stack v2.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 06/2008: PHP ZipArchive::extractTo()

Hash: SHA1

                         SektionEins GmbH

                     -= Security  Advisory =-

     Advisory: PHP ZipArchive::extractTo() Directory Traversal Vulnerability
 Release Date: 2008/12/04
Last Modified: 2008/12/04
       Author: Stefan Esser [stefan.esser[at]]

  Application: PHP 5 <= 5.2.6
     Severity: PHP applications using ZipArchive::extractTo() to unpack zip
               archive files can be tricked to overwrite arbitrary files
               writable by the webserver which might result in PHP remote
               code execution
         Risk: Medium
Vendor Status: Vendor has released PHP 5.2.7 which contains an updated
               ZipArchive::extractTo() method that flattens the filename
               stored inside zip archives before unpacking


  Quote from
  "PHP is a widely-used general-purpose scripting language that
   is especially suited for Web development and can be embedded
   into HTML."

  PHP comes with the zip extension that provides the ZipArchive
  class for zip archive manipulation. During an audit of a large
  scale PHP applications that uses ZipArchive::extractTo() to
  unpack user uploaded zip archives to temporary directories it
  was discovered that ZipArchive::extractTo() does not flatten
  the filenames stored inside the zip archives.

  Therefore it is possible to create zip archives containing
  relative filenames that when unpacked will create or overwrite
  files outside of the temporary directory.

  In the applications like the one in question this results in
  a remote PHP code execution vulnerability, because we are
  able to drop new PHP files in writable directories within
  the webserver's document root directory.


  No details required. To exploit this an attacker just needs to
  create a zip archive containing filenames like


  An easy way to achieve that is to just store a file with a long
  name inside the zip archive and then change it with a hex editor

Proof of Concept:

  SektionEins GmbH is not going to release a proof of concept
  exploit for this vulnerability.

Disclosure Timeline:

  23. June     2008 - Notified
  04. December 2008 - PHP developers released PHP 5.2.7
  04. December 2008 - Public Disclosure


  It is recommended to upgrade to the latest version of PHP
  which also fixes additional vulnerabilities reported by
  third parties.
  Grab your copy at:

CVE Information:

  The Common Vulnerabilities and Exposures project ( has
  not assigned a name to this vulnerability yet.


  pub  1024D/15ABDA78 2004-10-17 Stefan Esser <>
  Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2008 SektionEins GmbH. All rights reserved.
Version: GnuPG v1.4.8 (Darwin)


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC