[NT] WinRAR Directory Traversal

• Previous message: SecuriTeam: "[NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 May 2005 17:10:47 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WinRAR Directory Traversal
------------------------------------------------------------------------

SUMMARY

By supplying a special archive file name it is possible to cause WinRAR to
extract files on a different directory then the directory the user has
requested the files to be extracted to.

DETAILS

Vulnerable Systems:
 * WinRAR version 3.42 and prior

WinRAR adds some options to unpack files directly using left-click. The
extracing files directly in the directory option allows you to store the
files in a directory that takes the same name of the compressed file but
without the extension. In the case were the filename is '...zip' and you
use choose to use this option, the uncompressed data will be stored in the
"../" directory.

Disclosure Timeline:
02/01/2005 - Bug discovered
16/01/2005 - Mail sent to the vendor
16/01/2005 - Vendor response
02/02/2005 - Advisory released

ADDITIONAL INFORMATION

The information has been provided by <mailto:ripe@7a69ezine.org> Albert
Puigsech Galicia .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Office XP Software (Excel 2002) ... * Microsoft Office v. X for Mac ... (Securiteam) [EXPL] Ipswitch WhatsUp Gold Remote Buffer Overflow Exploit ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WhatsUp Gold Remote Buffer Overflow Vulnerability, ... print $socket "Referer: ... (Securiteam) [NT] Microsoft Windows NTFS Improper Handler Closing ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system shutdown, uninitialized data may be visible in files from ... (Securiteam) [NEWS] Mac OS X Panther Screen Lock Bypass ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... tedious in actual practice thus far. ... For the first time user actually executing anything ... (Securiteam) [NT] Windows FTP Server Format String Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows FTP Server, is "a small, easy to use FTP ... First chance exceptions are reported before any exception handling. ... (Securiteam)