Info

Disclosure

Apr 24, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

IZArc contains a flaw that allows a remote attacker to extract files to arbitrary locations on the filesystem, possibly overwriting system binaries and other sensitive or confidential information. The issue is due to IZArc not properly sanitizing pathnames for archived files, specifically pathnames that include directory traversal style attacks (../../).

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Ivan Zahariev

IZArc

3.5 beta 3

References

Bugtraq ID: 17664
Secunia Advisory ID: 19791
CVE ID: 2006-2006 (see also: NVD)
VUPEN Advisory: ADV-2006-1488
Vendor URL: http://www.izarc.org/

Credit

Claus Berghamer -

Direct URL: http://osvdb.org/24895