66biolinks Directory Traversal Vulnerability via Zip Slip

A directory traversal vulnerability, known as Zip Slip, has been identified in the 'Static Sites' feature of 66biolinks version 44.0.0 by AltumCode. This vulnerability arises because uploaded ZIP files are extracted automatically without proper validation or sanitization of file paths. An attacker can exploit this by including traversal sequences in ZIP entries, allowing them to write files outside the designated extraction directory. As a result, static files such as HTML, JavaScript, CSS, and images can be placed in unintended locations or used to overwrite existing HTML files. This could lead to content defacement and, in some cases, further issues if sensitive files are replaced.

Impact

Exploitation of this vulnerability allows an attacker to write or overwrite static files in any directory where the application user has write permissions. This could result in defacing the website, injecting malicious HTML or JavaScript into accessible areas, creating phishing pages, or altering legitimate user interface elements. Although the application has a file extension whitelist that prevents arbitrary file uploads, the ability to overwrite HTML or JavaScript files poses a significant risk to the application's integrity and user safety.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a directory traversal payload, such as '../', through the 'Static Sites' feature. The ZIP file will be extracted without path validation, allowing files to be written outside the intended directory. After extraction, the uploaded files can be accessed from the uploads directory, bypassing the application's directory structure.

Remediation

It is recommended to implement path validation and normalization before extracting ZIP files. Ensure that extraction is confined to the designated uploads directory and block any ZIP files that attempt to write outside of this area, even if they contain whitelisted file types.