Vigil@nce - Node.js tar: directory traversal via symlink
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious tar archive, to traverse
directories in Node.js tar, in order to create a file outside the
service root path.
– Impacted products: Node.js Modules not comprehensive.
– Severity: 2/4.
– Creation date: 04/11/2015.
DESCRIPTION OF THE VULNERABILITY
The tar module of Node.js extracts archives in tar format.
However, if the archive contains a symbolic link to a directory,
Node.js tar accepts to follow this link, and to create files
outside the working directory.
An attacker can therefore create a malicious tar archive, to
traverse directories in Node.js tar, in order to create a file
outside the service root path.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Node-js-tar-directory-traversal-via-symlink-18242