Zulip Path Traversal Vulnerability in File Import Process Allows Arbitrary File Read

A path traversal vulnerability has been identified in Zulip Server versions 1.4.0 prior to 11.6. The issue arises in the file import process, where the application improperly validates file paths in 'uploads/records.json'. This flaw allows a crafted export tarball to manipulate the import process, causing the server to copy arbitrary files that the 'zulip' user can access into the uploads directory. The vulnerability has been patched in Zulip version 11.6.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, with the potential to access sensitive files such as the '/etc/passwd' file.

Reproduction

To reproduce this vulnerability, first export a realm using the Zulip management command. After extracting the exported tarball, inject a path traversal payload into the 'uploads/records.json' file, targeting a file that the Zulip user can read, such as '/etc/passwd'. Once the payload is injected, import the modified 'records.json' file using the Zulip management command. The imported file will be copied to the uploads directory, bypassing normal file access restrictions.

Remediation

Users can update to Zulip version 11.6 or later, where this vulnerability has been patched.