Vulnerability: Arbitrary File Overwrite and Deletion are possible during zip decompression in lsFusion ≤ 6.1 #1545
Description
BUG_Author: R1ckyZ
Affected Version: lsFusion ≤ 6.1
Vendor: lsfusion GitHub Repository
Software: lsfusion
Vulnerability Files:
server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java
Description:
The server-side MakeUnzipFileAction invokes the unpackFile method in ZipUtils. This method does not restrict filenames or symbolic links within the compressed archive, allowing directory traversal during extraction. As a result, files can be written to arbitrary locations and existing files may be overwritten, leading to arbitrary file overwrite and arbitrary file deletion vulnerabilities. This same issue also occurs with EmailReceiver.
Proof of Concept:
Since the issue resides in the utility class, you can use the following demo to test this function in isolation. Pass a folder containing path traversal sequences into test.zip; after execution, it will overwrite and delete existing files.
import lsfusion.base.file.RawFileData;
import lsfusion.server.physics.dev.integration.external.to.file.ZipUtils;
import java.io.FileInputStream;
public class UnzipTest {
public static void main(String[] args) throws Exception {
FileInputStream fis = new FileInputStream("test.zip");
byte[] bytes = new byte[fis.available()];
fis.read(bytes);
RawFileData file = new RawFileData(bytes);
String extension = "zip";
ZipUtils.unpackFile(file, extension, true);
}
}