Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

June 11, 2018

Zip Slip – Universal Government Vulnerability?

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:25 am

Zip Slip vulnerability affects thousands of projects by Zeljka Zorz.

From the post:


The vulnerability, dubbed Zip Slip by the researchers, has been seen in the past before, but was never this widely spread, Snyk CEO Guy Podjarny told Help Net Security.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the company explained.

“The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.”

There is a list of vulnerable libraries/apps, good for checking versions to discover failures to update. For the technical details, see: Zip Slip Vulnerability.

A large number of libraries have been updated but effectiveness of those updates depends upon projects in the wild updating the libraries they use.

Considering the sluggishness of government IT operations, Zip Slip may be a universal government vulnerability even in the face of updated libraries.

Nothing ventured, nothing gained. The worse case scenario for attackers is the attack fails.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress