lsFusion Path Traversal Vulnerability in Zip File Handling Allowing Arbitrary File Overwrite and Deletion

A path traversal vulnerability has been identified in the lsFusion platform in versions through 6.1. The issue arises in the 'unpackFile' function of 'ZipUtils.java', where the method fails to properly validate filenames or symbolic links within compressed zip files. This oversight allows for directory traversal during the extraction process, enabling files to be written to arbitrary locations, overwriting existing files, and potentially deleting them. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrite and deletion on the server where lsFusion is running.

Reproduction

To reproduce this vulnerability, create a zip file named 'test.zip' that includes path traversal sequences, such as '../' sequences that navigate up the directory structure. Once the zip file is prepared, use the 'MakeUnzipFileAction' to invoke the 'unpackFile' method in 'ZipUtils'. The method will extract the contents of the zip file without restriction, leading to the overwriting or deletion of files on the server.