zip slip and why its not a vulnerability

Ive been reading over some of the web security news recently and came across the “zip slip exploit”. Now this has been repopulated by many “security blogs” as a vulnerability with some major flaws in the understandings path traversal inst always an exploit, although it usually is in web applications.

Ok a exploit is something that shouldnt be achievable but is through some method. Path traversal is not an exploit and the new skool IT generations IMHO need to get more in tune with what they are working with.

So this new skool vulnerability consists of an archive can extract to ../../../ and they thinks thats an exploit. Its kind of worrying on the people who consider themselves experts in these fields cant understand what ../ is.

Path traversal does not constitute a vulnerability. From a current working directory ../../../somepath makes no difference than the archive containg c:\windows/system32\*

And from the security perspective these are user actions so can only be controlled by the users account.

./ is current directory and ../ is parent directory , you windows users should know that from DOS?

Linux, Security, Uncategorized, zip slip

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − 4 =