Skip to main content

Is Essentials capable of handling so called zip bombs

Luuk Schaminée
How does Essentials handle uploaded zip-files and how does it handle so called zip bombs (these are zip file which expand to giga or even terra bytes, see for more information https://www.bamsoftware.com/hacks/zipbomb/). Does Essentials check the files in the zip file before it opens them and if Essentials opens the zip-file, is it extracted first or is the shapefile within the zip-file accessed directly and how is the content saved?

 

An attacker could upload a zip bomb that would dramatically increase in size once unzipped. This would cause the server disk to be full and cause the operation to crash due to insufficient disk space leading to

 

a DOS.

 

 
0

Comments

2 comments

Date Votes
  • Tom Neer
    Luuk,

     

    Interesting question... Considering building a smaller zip bomb and testing on our test server (after a full backup image). My assumption is that because Essentials utilizes a server-side DLL library for decompressing these files that it may be vulnerable. However, if you are running virus software on your server, hopefully it would quarantine the file. Another test scenario.

     

    I will make a bit of a plug here. If you are using Workflow 5, you could use our free Geocortex Workflow 5 Conversion Activities (https://www.geowidgets.io/products/geowidgets-workflow-activities/) which include client-side zip activities. The unzip activity performs the decompression in the client browser. We have not tested this but if it does what I think it would, it would be hilarious. May test that also...
    0
  • Luuk Schaminée
    We are using Essentials 4. Perhaps we can create a Workflow 5 workflow which in its turn calls the existing workflow 4 workflow. This would be a workaround. It is still possible to send a zip-bomb to essentials 4.

     

    My thought to solve this is to check what the extracted size the contents from a zip file will be and which sort of files are zipped (and only extract the known files (shp, shp, shx, csv, ...). This must be done before the file is decompressed on the server? A setting for a maximum extracted file size would be nice. This must be incoorporated in the Essentials Core code.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post