<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Gramps-Webapi - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/gramps-webapi/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/gramps-webapi/feed.xml" rel="self" type="application/rss+xml"/><item><title>Gramps Web API Zip Slip Vulnerability in Media Archive Import</title><link>https://feed.craftedsignal.io/briefs/2024-01-gramps-webapi-zip-slip/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gramps-webapi-zip-slip/</guid><description>A path traversal vulnerability (Zip Slip) exists in the gramps-webapi media archive import feature, allowing authenticated users with owner privileges to write arbitrary files outside the intended temporary extraction directory via malicious ZIP files, potentially leading to data corruption or replacement.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, known as Zip Slip, has been identified in gramps-webapi versions 1.6.0 through 3.11.0. This flaw resides within the media archive import functionality and allows an authenticated user with owner-level privileges to upload a specially crafted ZIP file containing directory traversal sequences (../) in the filenames. Successful exploitation enables an attacker to write arbitrary files outside the designated temporary extraction directory on the server's local filesystem. The risk is highest in multi-tree deployments where tree owners are distinct from server administrators. The impact ranges from cross-tree data corruption to application config file overwrite, depending on the specific deployment configuration (SQLite+local media, Postgres+S3 media, or Postgres+S3+env-var-only config).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker authenticates to the gramps-webapi instance with owner-level privileges.</li>
<li>Attacker crafts a malicious ZIP archive containing files with filenames including directory traversal sequences such as <code>../</code>.</li>
<li>The attacker uploads the malicious ZIP archive via the media archive import feature.</li>
<li>The <code>MediaImporter._check_disk_space_and_extract()</code> function in <code>gramps_webapi/api/media_importer.py</code> is called.</li>
<li>The <code>zipfile.extractall()</code> function extracts the contents of the ZIP archive without proper validation of entry names.</li>
<li>Due to the lack of sanitization, files are extracted to locations outside the intended temporary directory.</li>
<li>Depending on the server configuration, the attacker overwrites sensitive files such as database files, media files, or application configuration files.</li>
<li>The attacker achieves persistent code execution or data corruption within the gramps-webapi instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to several critical consequences. In multi-tree deployments, an attacker can overwrite another tree's database or media files, causing cross-tree data corruption or replacement. In deployments using local media storage, sensitive application configuration files can be overwritten. Even in configurations using Postgres and S3 storage with environment variable-based configurations, the attacker can write to ephemeral container storage, potentially disrupting service until a worker restart. The impact is most significant in multi-tree environments where owner privileges are granted to untrusted users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided by gramps-webapi that validates ZIP entry names against the resolved real path of the temporary directory before extraction, preventing writes outside the intended directory, or upgrade to a non-vulnerable version.</li>
<li>For multi-tree deployments, review and restrict owner-level privileges to trusted users only to mitigate the risk of malicious archive uploads.</li>
<li>Monitor web server logs for suspicious POST requests to the media archive import endpoint, potentially indicating attempts to upload malicious ZIP files. Create a Sigma rule to detect this activity based on unusual URI parameters (see example rule below).</li>
<li>Implement file integrity monitoring on sensitive files and directories (e.g., database files, media directories, application configuration files) to detect unauthorized modifications. Use file_event logs to alert on these changes.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>path-traversal</category><category>zip-slip</category><category>gramps-webapi</category><category>vulnerability</category></item></channel></rss>