THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT v22.214.171.124 and 126.96.36.199
- This is fixed in v188.8.131.52
Is EFT susceptible to the Zip Slip vulnerability?
If you use the compression feature in our OpenPGP module, it is possible you are vulnerable. Our development team has mitigated the vulnerability in a new patch build.
ZIP Slip makes your application vulnerable to path traversal attacks and sensitive data exposure. This vulnerability was introduced by EFT's use of the /n compression library for OpenPGP module. Specially crafted malicious archives could deposit files in restricted folders using directory traversal, such as, a path that decompresses to ../../../malicious.zip.
- Name files with standard names.
- Strip special characters from file names.
- Match and compare filenames with standard regular expressions.
- Rename all files in the uploaded zip with generated names before actually using/storing them
- It is recommended that if you are using EFT v184.108.40.206 to v220.127.116.11, you should upgrade to v18.104.22.168.
For more about naming files, refer to the following sources: