Docmost Zip Slip Vulnerability Allowing Arbitrary File Write

A vulnerability in Docmost versions 0.21.0 prior to 0.24.0 allows arbitrary file write through the zip import feature, exploiting a zip slip condition. The issue arises because the application does not validate filenames during zip extraction, enabling path traversal attacks. This vulnerability could be exploited to overwrite existing files or create new ones, potentially leading to code execution by placing a web shell in the application directory.

Impact

Exploitation of this vulnerability allows attackers to create or overwrite files on the server. In a web application context, this could be used to execute arbitrary code by, for example, uploading a web shell or modifying a critical application file to include malicious code.

Reproduction

To reproduce this vulnerability, create a zip file containing a file with a name that includes path traversal sequences, such as '../../../../../../tmp/poc.txt'. Upload this zip file via the Docmost zip import interface. The application will extract the zip file without proper validation, allowing the traversal payload to overwrite or create files outside of the intended directory.

Remediation

Users are advised to upgrade to Docmost version 0.24.0 or later, where this vulnerability has been fixed.