Sometimes I really love the names security researchers come up with to label a security issue. Todays fun sounding security vulnerability is called ZipSlip, and the name is surprisingly accurate. ZipSlip was disclosed by the security firm Snyk and appears to be affecting thousands of projects. In spite of the fun name, this is a serious vulnerability that could have been avoided.
How ZipSlip Works
ZipSlip works by a feature in how files compressed with the zip format are handled during decompression. Basically attackers can create an archive that will transverse a path to overwrite important files and thereby infecting the target system. Attackers will use this tactic on a system they can exploit remotely, so primarily web servers or other internet connected systems that accept a zip file as input. Even though this problem comes from the zip file format, it is not a problem with Zip. The issue comes from bad or lazy programmers.
If we could just avoid those projects developed by lazy or bad programmers then this problem wouldn't be much of anything. Unfortunately developers depend on utilizing shared libraries to build their projects. All it takes is for this vulnerability to affect a popular shared library causing a rather large ripple effect. Many shared libraries are Open Source, and have contributions from hundreds or even thousands of programmers. All it takes is one bad commit and now a project can be vulnerable.
It sounds scary, but don't worry. Those of us that program professionally are very good at finding and fixing problems such as these when they come to light. We have very quickly seen the developer community come together to start identifying those projects affected, and are working on fixes. While there is a lot of noise being made about this vulnerability it's really just another bug, albeit one with a neat name and logo.
This is where Active Site Maintenance becomes vital to continuing to run a successful website. We provide this service to actively maintain your website, watching for threats, and impliment patches; all to make sure your companies website is protected.