ProjeQtor ZipSlip Path Traversal Vulnerability Allowing Remote Code Execution

A ZipSlip path traversal vulnerability has been identified in ProjeQtor versions 7.0 prior to 12.4.4. This vulnerability exists in the plugin upload functionality, where authenticated attackers with upload permissions can craft ZIP archives containing directory traversal sequences. When these archives are uploaded, the application extracts them without proper validation, allowing attackers to write files outside the intended directory. This exploitation can lead to remote code execution by placing a PHP web shell in a directory accessible by the web server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the same privileges as the web server process.

Reproduction

To reproduce this vulnerability, an authenticated user with upload permissions can upload a ZIP file containing a path traversal payload, such as '../../shell.php'. The application will extract the file outside of the intended plugin directory, where it can be accessed via the web server. Once the file is accessed, the uploaded PHP shell can be executed, leading to remote code execution on the server.

Remediation

Users are advised to update to ProjeQtor version 12.4.4 or later. Additionally, the extraction logic should be modified to validate file paths before writing them to disk, ensuring that archives are extracted safely and that uploaded content is stored outside of the web root when possible.