Description
Directory traversal vulnerability in BitZipper 4.1.2 SR-1 and earlier allows remote attackers to create files in arbitrary directories via a .. (dot dot) in the filename of a file that is stored in a (1) RAR (.rar), (2) TAR (.tar), (3) ZIP (.zip), (4) GZ (.gz), or (5) JAR (.jar) archive.
Affected products
- bitberry_software / bitzipper3.2 – 3.2
- bitberry_software / bitzipper3.2.1 – 3.2.1
- bitberry_software / bitzipper3.3 – 3.3
- bitberry_software / bitzipper3.4 – 3.4
- bitberry_software / bitzipper3.4.1 – 3.4.1
- bitberry_software / bitzipper4.0 – 4.0
- bitberry_software / bitzipper4.1 – 4.1
- bitberry_software / bitzipper4.1.1 – 4.1.1
- bitberry_software / bitzipper4.1.2 – 4.1.2
References
- MISChttp://hamid.ir/security/bitzipper.txt
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/1907
- MISChttp://www.securityfocus.com/archive/1/434713/100/0/threaded
- MISChttp://www.osvdb.org/25693
- MISChttp://www.securityfocus.com/bid/18065
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/26626
- MISChttp://securitytracker.com/id?1016132
- VENDOR_ADVISORYhttp://secunia.com/advisories/20207