• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: ZipGenius Multiple Directory Traversal Vulnerabilities

Severity: HIGH

Description:

ZipGenius is a file compression suite that supports various compression formats including RAR, ARJ, ACE, CAB, SQX and 7-zip.

ZipGenius is prone to multiple vulnerabilities that may allow an attacker to create files in arbitrary locations on a vulnerable computer. These issues result from insufficient sanitization of user-supplied data.

The following specific issues were identified:

When the application processes a compressed ZIP file, it does not sanitize the file name properly. This may allow an attacker to create a zip file by including directory traversal sequences in its name such as '../'. The attacker can send the malicious file to a user to be processed through the application. If the user decompresses the file using ZipGenius, the attacker-supplied file may be placed in an arbitrary location. This can allow the attacker to place potentially malicious files and overwrite files on a computer, which can aid in various attacks. Reportedly, the application does generate a warning before overwriting an existing file.

A similar vulnerability arises when a user right clicks on a file and attempts to decompress it. If the file name contains directory traversal sequences before the file extension, the file may be placed in an arbitrary location on the computer. This can allow the attacker to place potentially malicious files and overwrite files on a computer, which can aid in various attacks as well.

ZipGenius 5.5 and prior versions are reported vulnerable to these issues.

Affected Products:

• ZipGenius ZipGenius Standard Edition 5.5.0
• ZipGenius ZipGenius Suite Edition 5.5.0

References:

• ZipGenius: ZipGenius Home page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.