https://github.com/jwilk/traversal-archives
archive file samples for testing against directory traversal
https://github.com/jwilk/traversal-archives
security
Last synced: 4 months ago
JSON representation
archive file samples for testing against directory traversal
- Host: GitHub
- URL: https://github.com/jwilk/traversal-archives
- Owner: jwilk
- License: mit
- Created: 2016-10-03T14:52:29.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2025-03-29T17:56:43.000Z (about 1 year ago)
- Last Synced: 2025-09-11T22:48:43.855Z (10 months ago)
- Topics: security
- Language: Makefile
- Size: 59.6 KB
- Stars: 158
- Watchers: 4
- Forks: 16
- Open Issues: 0
-
Metadata Files:
- Readme: README
- License: LICENSE
Awesome Lists containing this project
README
Overview
--------
This repository provides samples of archive files in various formats
that attempt to exploit (hypothetical) directory traversal bugs:
.. automatically generated by .private/update-readme
* Leading slash::
-rw-r--r-- /tmp/moo
`7zip `__
`ar `__
`arc `__
`arj `__
`cab `__
`cpio `__
`rar `__
`tar `__
`zip `__
`zoo `__
* Multiple leading slashes::
-rw-r--r-- //tmp/moo
`ar `__
`arc `__
`arj `__
`cab `__
`cpio `__
`rar `__
`tar `__
`zip `__
`zoo `__
* Leading dot-dot::
-rw-r--r-- ../moo
`7zip `__
`ar `__
`arc `__
`arj `__
`cab `__
`cpio `__
`rar `__
`tar `__
`zip `__
`zoo `__
* Non-leading dot-dot::
-rw-r--r-- tmp/../../moo
`7zip `__
`ar `__
`arj `__
`cab `__
`cpio `__
`rar `__
`tar `__
`zip `__
`zoo `__
* File symlink::
lrwxrwxrwx moo -> /tmp/moo
-rw-r--r-- moo
`7zip `__
`arj `__
`cpio `__
`rar `__
`tar `__
`zip `__
* Directory symlink::
lrwxrwxrwx tmp -> /tmp
-rw-r--r-- tmp/moo
`7zip `__
`arj `__
`cpio `__
`rar `__
`tar `__
`zip `__
* Two directory symlinks (variant A)::
lrwxrwxrwx cur -> .
lrwxrwxrwx par -> cur/..
-rw-r--r-- par/moo
`7zip `__
`arj `__
`cpio `__
`rar `__
`tar `__
`zip `__
* Two directory symlinks (variant B)::
lrwxrwxrwx cur -> .
lrwxrwxrwx cur/par -> ..
-rw-r--r-- par/moo
`7zip `__
`arj `__
`cpio `__
`rar `__
`tar `__
`zip `__
.. end of generated stuff
Found bugs
----------
The samples helped find the following bugs:
* ARJ:
- https://bugs.debian.org/774434 [CVE-2015-0556]
- https://bugs.debian.org/774435 [CVE-2015-0557]
- https://bugs.debian.org/867520
* Zoo:
- https://bugs.debian.org/774453
* ARC:
- https://bugs.debian.org/774527 [CVE-2015-9275]
* gcab:
- https://bugs.debian.org/774580 [CVE-2015-0552]
* UnRAR:
- https://www.openwall.com/lists/oss-security/2017/08/14/3 [CVE-2017-12938]
* Perl (Archive::Tar):
- https://bugs.debian.org/900834 [CVE-2018-12015]
* GNOME Nautilus:
- https://bugs.debian.org/878012
* Ark:
- https://bugs.debian.org/878269
* archiver:
- https://github.com/mholt/archiver/issues/69
.. vim:ts=3 sts=3 sw=3 et ft=rst