https://feed.craftedsignal.io/tags/zip-slip/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 17:39:31 +0000https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/Mon, 04 May 2026 17:39:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.OpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the POST /openmrs/ws/rest/v1/module endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted .omod archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the WebModuleUtil.startModule() function, an oversight compared to other extraction methods within the same codebase that are properly protected.

Attack Chain

1. The attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.
2. The attacker crafts a malicious .omod file containing a ZIP entry with a path traversal payload, such as web/module/../../../../<target_filename>.jsp.
3. The attacker sends a POST request to the /openmrs/ws/rest/v1/module endpoint, uploading the malicious .omod file.
4. The server receives the request and parses the uploaded .omod file, treating it as a ZIP archive.
5. During module loading via WebModuleUtil.startModule(), the server extracts entries under the web/module/ directory.
6. Due to an incomplete check, the entry web/module/../../../../<target_filename>.jsp passes the initial validation.
7. The server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended WEB-INF/view/module/ directory.
8. If the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS’s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.

Recommendation

• Apply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.
• Deploy the Sigma rule Detect OpenMRS Malicious Module Upload to identify exploitation attempts based on HTTP requests to the /openmrs/ws/rest/v1/module endpoint with suspicious file extensions in the query parameters.
• Enable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.
• Monitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule Detect JSP File Creation in Web Application Root as a starting point.
• Enforce the module.allow_web_admin restriction consistently across all module upload entry points, including the REST API to prevent bypass.

]]>criticaladvisorypath-traversalzip-sliprceopenmrsweb-applicationhttps://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/Wed, 22 Apr 2026 17:28:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.A Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the Backup::restore function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.

Attack Chain

1. An authenticated user with create role accesses the vulnerable /backend/backup/restore endpoint.
2. The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with a path traversing outside the intended extraction directory (e.g., ../../public/shell.php).
3. The attacker uploads the malicious ZIP archive via the backup_file parameter in a POST request.
4. The server moves the uploaded ZIP file to WRITEPATH . 'uploads/' without sanitizing or validating the ZIP entry names.
5. The ZipArchive::extractTo() function is called on the uploaded ZIP, extracting the malicious file to the specified path ../../public/shell.php.
6. The PHP file is written to the web root, allowing for remote code execution.
7. The attacker triggers the injected PHP code by sending a request to /shell.php?c=id, executing arbitrary commands on the server.
8. The attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.

Impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in .env and any other sensitive data handled by the site. Because the affected route is in the csrfExcept list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of composer/ci4-cms-erp/ci4ms prior to 0.31.5.0.

Recommendation

• Upgrade composer/ci4-cms-erp/ci4ms to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.
• Implement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling extractTo().
• Deploy the Sigma rule Detect CI4MS Zip Slip via Web Request to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.
• Enable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.

]]>criticaladvisoryzip-sliprcecode-injectionvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-06-code-marketplace-zip-slip/Sat, 04 Apr 2026 06:29:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-code-marketplace-zip-slip/A Zip Slip vulnerability in coder/code-marketplace allows authenticated users to upload malicious VSIX files containing path traversal entries, leading to arbitrary file writes outside the extension directory and potentially enabling persistence.A Zip Slip vulnerability (CVE-2026-35454) exists in the Coder code-marketplace application, specifically in versions up to 2.4.1. The vulnerability stems from improper sanitization of zip entry names during VSIX file extraction, which allows an attacker to write files to arbitrary locations on the server. This flaw, discovered by Kandlaguduru Vamsi and detailed in GHSA-8x9r-hvwg-c55h, can be exploited by any authenticated user with upload privileges. Successful exploitation could lead to persistence via cron/init injection, SSH key injection, ld.so.preload hijacking, or binary overwrite. The vulnerability was patched in version 2.4.2. Defenders should upgrade to the latest version of the code-marketplace application to prevent potential exploitation.

Attack Chain

1. An authenticated user with upload privileges logs into the code-marketplace application.
2. The attacker crafts a malicious VSIX file containing zip entries with path traversal sequences (e.g., “../../../etc/cron.d/evil”).
3. The attacker uploads the malicious VSIX file through the application’s extension upload functionality.
4. The ExtractZip function processes the uploaded VSIX file without proper sanitization of zip entry names.
5. The filepath.Join function constructs the output path using the unsanitized zip entry name and a base directory.
6. Path traversal sequences like .. are resolved by filepath.Clean, but the resulting path is not checked against the intended base directory, allowing it to escape.
7. The application writes the extracted file to an attacker-controlled location on the server’s file system.
8. The attacker achieves persistence, privilege escalation, or arbitrary code execution by overwriting critical system files or injecting malicious code into system configurations like cron jobs or SSH authorized keys.

Impact

Successful exploitation of this Zip Slip vulnerability allows attackers to write arbitrary files to the underlying system. An attacker can achieve persistence by injecting malicious cron jobs or modifying system initialization scripts. Privilege escalation is possible via SSH key injection or by overwriting binaries with malicious versions. The impact ranges from system compromise to data exfiltration and denial of service. While the number of victims is unknown, any organization using vulnerable versions of the Coder code-marketplace application is at risk.

Recommendation

• Upgrade the coder/code-marketplace application to version 2.4.2 or later to remediate CVE-2026-35454.
• Implement file integrity monitoring on critical system directories (e.g., /etc/cron.d, /root/.ssh) using a file_event log source to detect unauthorized file modifications.
• Deploy the Sigma rule “Detect Suspicious File Creation in Sensitive Directories” to detect potential exploitation attempts based on file creation events.
• Enable webserver logging and deploy the provided Sigma rule “Detect VSIX Uploads with Path Traversal” to identify suspicious VSIX uploads containing path traversal sequences based on request parameters.

]]>highadvisoryzip-slippath-traversalcode-marketplacepersistencehttps://feed.craftedsignal.io/briefs/2024-06-simplehelp-path-traversal/Tue, 25 Jun 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-06-simplehelp-path-traversal/CVE-2024-57728 is a path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.A path traversal vulnerability exists within SimpleHelp, identified as CVE-2024-57728. This flaw enables authenticated administrators to upload arbitrary files to any location on the server’s file system. This is achieved through the use of a specially crafted ZIP archive (a technique known as Zip Slip). Successful exploitation allows an attacker to execute arbitrary code within the security context of the SimpleHelp server user. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Defenders should apply vendor-provided mitigations or discontinue use of the software.

Attack Chain

1. An attacker gains administrative access to the SimpleHelp console, either through compromised credentials or exploiting a separate authentication bypass.
2. The attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., “../../ malicious.exe”) in its filename.
3. The attacker uploads the crafted ZIP archive to the SimpleHelp server through a file upload functionality available to administrators.
4. The SimpleHelp server extracts the contents of the ZIP archive without proper validation of the file paths.
5. The file with the path traversal sequence is extracted to an arbitrary location on the file system outside of the intended upload directory.
6. The attacker leverages a method to execute the uploaded malicious executable. This could involve overwriting an existing system utility or service executable.
7. The malicious executable runs with the privileges of the SimpleHelp server user.
8. The attacker achieves arbitrary code execution on the host, potentially leading to complete system compromise, data exfiltration, or deployment of ransomware.

Impact

Successful exploitation of CVE-2024-57728 allows an attacker to execute arbitrary code on the SimpleHelp server with the privileges of the SimpleHelp service account. This can result in a full compromise of the SimpleHelp server, potentially leading to data theft, service disruption, or further lateral movement within the network. The vulnerability affects SimpleHelp installations, and the impact is high due to the potential for complete system takeover.

Recommendation

• Apply the mitigations provided by SimpleHelp to patch the vulnerability. Refer to the vendor advisory for instructions: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
• Monitor SimpleHelp server file uploads for ZIP archives containing path traversal sequences (e.g., “../”) in filenames using a file integrity monitoring system (FIM) or endpoint detection and response (EDR) solution. Deploy the “Detect SimpleHelp Path Traversal ZIP Upload” Sigma rule to identify suspicious ZIP files.
• Implement strict access controls and regularly audit administrative access to the SimpleHelp console to prevent unauthorized users from exploiting the vulnerability.

]]>criticaladvisorycve-2024-57728path-traversalzip-sliphttps://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.The ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., ../../) in the ZIP archive’s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.

Attack Chain

1. An attacker authenticates to the ci4ms backend with an account possessing the theme create role.
2. The attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., shell.php) and an info.xml file for theme validation. The webshell is placed with a path traversal sequence, such as ../../public/shell.php.
3. The attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the backend/themes/themesUpload route.
4. The attacker uploads the malicious ZIP archive through the web interface, triggering the Theme::upload function.
5. The ZipArchive::extractTo() function extracts the contents of the ZIP archive to a temporary directory (WRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file->getName()) . '/') without validating entry names.
6. Due to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server’s document root (e.g., /var/www/html/public/shell.php).
7. The attacker accesses the PHP webshell via a web browser or command-line tool like curl, passing commands to be executed on the server (e.g., https://target.example.com/shell.php?c=id).
8. The webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.

Impact

Successful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the .env file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.

Recommendation

• Upgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.
• Deploy the Sigma rule Detect CI4MS Webshell Upload via Theme Exploit to detect attempts to upload malicious themes containing webshells.
• Implement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.
• Restrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.

]]>criticaladvisoryzip-sliprcecodeignitervulnerability