CVE-2020-28337 - Microweber v1.1.20 - Zip Slip Directory Traversal
Vulnerability
CVE ID: CVE-2020-28337
CVSS Score: 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Affected Vendors: Microweber
Affected Products: Microweber (<=1.1.20)
Description
In Microweber version 1.1.20 and earlier, when a backup file is restored the normalized filenames of extracted files
name are not sanitized in a way to protect against a directory traversal attack. This is often referred to as a
Zip Slip vulnerability. The API endpoint necessary to excute the
restore /api/Microweber/Utils/Backup/restore is restricted to admin users, and thus admin user credentials are
required to exploit this vulnerability.
More detail can be found in the associated blog post.
Impact
The impact of this vulnerability is that arbitrary paths can be provided within the zip such as
../../../../payload.php and allow arbitrary files contained within the zip to be written to arbitrary directories on
the server in the user context of the web server. While the default proof-of-concept writes a php file within the web
root for code execution, an attacker can write arbitrary files outside of the web root in the user context of the web
server as well. Additionally, the extracted filenames are not sanitized against the dangerous file extension list,
enabling an extension filter bypass.
Vendor Response
Microweber responded very quickly and had a patch committed within a few of hours of verifying the vulnerability.
The patch addresses the
vulnerability by skipping filenames containing .. in the backup, and was applied to both the zip_open and
gzinflate extraction execution trees.
Disclosure Timeline
- 2020-10-31 - Vulnerability Discovered
- 2020-11-03 - Disclosed to Microweber
- 2020-11-04 - Microweber confirmed vulnerability
- 2020-11-04 - Patch made available
- 2021-02-01 - Public Disclosure