qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45855: Report-CVE/qdPM/9.2/Directory Traversal.md at main · SunshineOtaku/Report-CVE

An issue in ZPE Systems, Inc Nodegrid OS v.5.8.10 thru v.5.8.13 and v.5.10.3 thru v.5.10.5 allows a remote attacker to obtain sensitive information via the TACACS+ server component.

CVE-2023-44037

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.

Hi,

We would like to report a potential security vulnerability.  
The bug is introduced because the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.

Here is the proof of concept.

    var qpdf = require('node-qpdf');
    
    var options = {
        keyLength: 128,
        password: 'YOUR_PASSWORD_TO_ENCRYPT'
    }
    
    qpdf.encrypt('test.pdf ||touch rce||', options); // a file named rce will be created

CVE-2023-26155: Potential command injection vulnerability in node-qpdf · Issue #23 · nrhirani/node-qpdf

Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in /sourcefiles/BlockhtmlClass.php and /sourcefiles/blockhtml.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Multiple cross-site scripting (XSS) vulnerabilities of Type 2 (Stored XSS) B2F (Back to front) in the Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules from Opart for PrestaShop, prior to version 2.0.12, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field.

**Summary**

*   **CVE ID**: CVE-2023-30148
*   **Published at**: 2023-10-10
*   **Advisory source**: Friends-Of-Presta
*   **Platform**: PrestaShop
*   **Product**: opartmultihtmlblock and multihtmlblock\* sub-modules
*   **Impacted release**: For opartmultihtmlblock <= 2.0.11 (Fixed in 2.0.12), for multihtmlblock\* : = 1.0.0
*   **Product author**: Opart
*   **Weakness**: CWE-79
*   **Severity**: medium (6.1)

**Description**

Prior to version 2.0.12 of the Prestashop Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules for PrestaShop, scripts can be injected into the database by the admin configuration form or chained by an SQL injection, which can then be executed in user browsers.

**WARNING**: This vulnerability has been seen as exploited to inject malicious code into the payment page using the displayBanner hook from the multihtmlblockmessageheader sub-module (exploited by a compromised admin).

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: high
*   **User interaction**: high
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

**Possible malicious usage**

*   Hijack payment modules
*   Redirect users to another website
*   Technical and personal data leaks

**Patch**

Patches listed below will:

1.  Sanitize the admin form (removing scripts thanks to isCleanHtml validate, and removing iframes is not authorized in HTML fields
2.  Sanitize the string saved in the database before displaying it (to disable corrupted data from SQL injections)

Please note that these patches should be applied to the main module opartmultihtmlblock and all multihtmlblock\* sub-modules. For the main module, the component to modify is the class BlockhtmlClass in sourcefiles directory and well as the main class Blockhtml, and for the sub-modules, the component to edit is the Multihtmlblock*Class as well as the main class Multihtmlblock*

    --- a/sourcefiles/BlockhtmlClass.php
    +++ b/sourcefiles/BlockhtmlClass.php
    @@ -62,8 +62,8 @@ class %Modulename%Class extends ObjectModel
                    'fields' => array(
                            'id_shop' =>                            array('type' => self::TYPE_INT, 'validate' => 'isunsignedInt', 'required' => true),
                            // Lang fields
    -                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    -                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    +                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
    +                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
                             'all_pages' => array('type' => self::TYPE_BOOL, 'validate' => 'isBool'),
                             'show_on_home' =>            array('type' => self::TYPE_STRING, 'validate' => 'isBool'),
                             'category_id' =>            array('type' => self::TYPE_STRING, 'validate' => 'isString'),
    

    --- a/sourcefiles/blockhtml.php
    +++ b/sourcefiles/blockhtml.php
    @@ -384,9 +384,27 @@ class %Modulename% extends Module
                                 $blockhtml=new %Modulename%Class();
                                 $blockhtml->id_shop=$id_shop;                                
                                 $blockhtml->copyFromPost();
    +                            // Validate if our html fields contains an iframe
    +                            $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                            $isIframeValidated = $isIframeValidated ?
    +                                $this->validateIframe($blockhtml->body_text_rude) :
    +                                $isIframeValidated;
    +                            if (!$isIframeValidated) {
    +                                // There is an iframe that is not allowed, we stop here
    +                                return false;
    +                            }
                                 $blockhtml->save();
                            }
                             $blockhtml->copyFromPost();
    +                        // Validate if our html fields contains an iframe
    +                        $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                        $isIframeValidated = $isIframeValidated ?
    +                            $this->validateIframe($blockhtml->body_text_rude) :
    +                            $isIframeValidated;
    +                        if (!$isIframeValidated) {
    +                            // There is an iframe that is not allowed, we stop here
    +                            return false;
    +                        }
                             $blockhtml->update();
                             
                            $this->messages[]=$this->l('Block successfuly update');
    @@ -395,6 +413,25 @@ class %Modulename% extends Module
                    }
            }
     
    +    /**
    +     * Validate a string depending if iframes are allowed in HTML fields
    +     *
    +     * @param string $htmlBody
    +     *
    +     * @return bool
    +     */
    +    protected function validateIframe($htmlBody)
    +    {
    +        foreach ($htmlBody as $stringToValidate) {
    +            if (!Configuration::get('PS_ALLOW_HTML_IFRAME') &&
    +                preg_match('/<iframe.*src=\"(.*)\".*><\/iframe>/isU', $stringToValidate)) {
    +                $this->erreurs[] = $this->trans('To use <iframe>, enable the feature in Shop Parameters > General');
    +                return false;
    +            }
    +        }
    +        return true;
    +    }
    +
             private function getIsInArray($controller_name,$obj_value,$the_get) {
                 if(get_class($this->context->controller)==$controller_name && $obj_value != "") {
                     $id_array = explode(',',$obj_value);
    @@ -478,7 +515,10 @@ class %Modulename% extends Module
                     
                     if(!$this->displayAllowed($blockhtml))
                         return false;
    -                
    +        // Remove all scripts tags (including inline scripts)
    +        $blockhtml->body_text_rude = $this->sanatizeHtmlForDisplay($blockhtml->body_text_rude);
    +        $blockhtml->body_text = $this->sanatizeHtmlForDisplay($blockhtml->body_text);
    +
                    $this->smarty->assign(array(
                            'blockhtml' => $blockhtml,
                            'default_lang' => (int)$this->context->language->id,
    @@ -495,6 +535,68 @@ class %Modulename% extends Module
                         return $this->display(__FILE__, 'views/templates/ps17/blockhtml.tpl');
            }
            
    +    /**
    +     * Remove JavaScript from HTML
    +     * Credit to : https://www.mradeveloper.com/blog/remove-javascript-from-html-with-php
    +     *
    +     * @param string $inputP
    +     *
    +     * @return string sanatized HTML
    +     */
    +    protected function sanatizeHtmlForDisplay($inputP)
    +    {
    +        $spaceDelimiter = "#BLANKSPACE#";
    +        $newLineDelimiter = "#NEWLNE#";
    +                                    
    +        $inputArray = [];
    +        $minifiedSanitized = '';
    +        $unMinifiedSanitized = '';
    +        $sanitizedInput = [];
    +        $returnData = [];
    +        $returnType = "string";
    +
    +        if($inputP === null) return null;
    +        if($inputP === false) return false;
    +        if(is_array($inputP) && sizeof($inputP) <= 0) return [];
    +
    +        if (is_array($inputP)) {
    +            $inputArray = $inputP;
    +            $returnType = "array";
    +        } else {
    +            $inputArray[] = $inputP;
    +            $returnType = "string";
    +        }
    +
    +        foreach($inputArray as $input)
    +        {
    +            $minified = str_replace(" ",$spaceDelimiter,$input);
    +            $minified = str_replace("\n",$newLineDelimiter,$minified);
    +
    +            //removing <script> tags
    +            $minifiedSanitized = preg_replace("/[<][^<]*script.*[>].*[<].*[\/].*script*[>]/i","",$minified);
    +
    +            $unMinifiedSanitized = str_replace($spaceDelimiter," ",$minifiedSanitized);
    +            $unMinifiedSanitized = str_replace($newLineDelimiter,"\n",$unMinifiedSanitized);
    +
    +            //removing inline js events
    +            $unMinifiedSanitized = preg_replace("/([ ]on[a-zA-Z0-9_-]{1,}=\".*\")|([ ]on[a-zA-Z0-9_-]{1,}='.*')|([ ]on[a-zA-Z0-9_-]{1,}=.*[.].*)/","",$unMinifiedSanitized);
    +
    +            //removing inline js
    +            $unMinifiedSanitized = preg_replace("/([ ]href.*=\".*javascript:.*\")|([ ]href.*='.*javascript:.*')|([ ]href.*=.*javascript:.*)/i","",$unMinifiedSanitized);
    +
    +                                        
    +            $sanitizedInput[] = $unMinifiedSanitized;
    +        }
    +
    +        if ($returnType == "string" && sizeof($sanitizedInput) > 0) {
    +            $returnData = $sanitizedInput[0];
    +        } else {
    +            $returnData = $sanitizedInput;
    +        }
    +                                    
    +        return $returnData;
    +    }
    +    
            public function hookDisplayTop($param)  {
                    return $this->hookDisplayLeftColumn($param);
            }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module
*   To mitigate potential issues arising from credential leaks, enforce mandatory 2FA for backoffice logins. This will necessitate the integration of a 2FA module.

**Timeline**

Date

Action

2023-02-10

First exploit detected in server logs

2023-03-11

Discovery and POC of the vulnerability by Profileo

2023-03-12

Contacting the editor

2023-03-14

Editor confirmed the vulnerability and is planning a new release of the module

2023-03-15

First patch (2.0.11) of the module suggested. Additional fixes were required

2023-03-15

New release of the module (2.0.12)

2023-04-03

The editor communicated with known customers concerning the vulnerability

2023-04-21

CVE ID Received

2023-10-10

Publishing this security advisory

**Links**

*   Editor Website store-opart
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-30148: [CVE-2023-30148] Multiple cross-site scripting (XSS) vulnerabilities in the Multi html block (opartmultihtmlblock) module and multihtmlblock* sub-modules from Opart for PrestaShop

Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the 'id_product' parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Multiple SQL injection vulnerabilities in the AfterMail (aftermailpresta) module from Shoprunners for PrestaShop, prior to version 2.2.1, allows remote attackers to execute arbitrary SQL commands via the id_customer, id_conf, id_product or token parameter in aftermailajax.php and via the id_product parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.

**Summary**

*   **CVE ID**: CVE-2023-30154
*   **Published at**: 2023-10-10
*   **Advisory source**: Friends-Of-Presta
*   **Platform**: PrestaShop
*   **Product**: aftermailpresta
*   **Impacted release**: < 2.2.1 (fixed in 2.2.1)
*   **Product author**: Shoprunners
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

In the AfterMail (aftermailpresta) module for PrestaShop, multiple vulnerabilities can be exploited in versions prior to 2.2.1:

*   An HTTP request can be manipulated using the id_customer, id_conf, id_product or token GET parameters, in the /modules/aftermailpresta/aftermailajax.php endpoint, enabling a remote attacker to perform a SQL injection.
*   An HTTP request can be manipulated using id_product GET parameter, in the /modules/aftermailpresta/aftermailpresta.php endpoint (in DisplayRightColumnProduct and DisplayProductButtons hooks), enabling a remote attacker to perform a SQL injection.

Since one of these vulnerabilities relies on PrestaShop’s hooks system, this will, by design, hide the module path. As a result, conventional frontend logs won’t reveal that this vulnerability is being exploited. Only POST /{product_path} or GET /{product_path} will be visible in logs. Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

These issues are fixed in version 2.2.1, published in September 2022.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch**

Multiple SQL injections fixed in aftermailajax.php:

    --- modules/aftermailpresta/aftermailajax.php
    +++ modules/aftermailpresta/aftermailajax.php
    @@ -45,7 +45,7 @@ function subscribe()
         $id_conf = Tools::getValue('id_conf');
         $id_customer = Context::getContext()->customer->id;
         
    -    $result = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . $id_product . ' AND id_customer = ' . $id_customer);
    +    $result = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . (int)$id_product . ' AND id_customer = ' . (int)$id_customer);
         $taken = false;
         $saved = false;
         if (empty($result)) {
    @@ -74,7 +74,7 @@ function unsubscribe()
         
         $token = Tools::getValue('token');
         
    -    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_product = ' . $id_product . ' AND id_customer = ' . $id_customer . ' AND id_aftermail_conf = ' . $id_conf . ' AND unsubscribe = "' . $token . '"');
    +    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_product = ' . (int)$id_product . ' AND id_customer = ' . (int)$id_customer . ' AND id_aftermail_conf = ' . (int)$id_conf . ' AND unsubscribe = "' . pSQL($token) . '"');
         $rows = Db::getInstance()->Affected_Rows();
         
         $mod = new AfterMailPresta();
    @@ -91,7 +91,7 @@ function unsubscribeAll()
         $id_customer = Tools::getValue('customer_id');
         $token = Tools::getValue('token');
         
    -    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_customer = ' . $id_customer . ' AND unsubscribe_all = "' . $token . '"');
    +    $success = Db::getInstance()->execute('DELETE FROM `' . _DB_PREFIX_ . 'aftermail_queue` WHERE id_customer = ' . (int)$id_customer . ' AND unsubscribe_all = "' . pSQL($token) . '"');
         $rows = Db::getInstance()->Affected_Rows();
         
         $mod = new AfterMailPresta();
    
    

SQL injection fixed in aftermailpresta.php:

    --- modules/aftermailpresta/aftermailpresta.php
    +++ modules/aftermailpresta/aftermailpresta.php
    @@ -888,7 +888,7 @@ class AftermailPresta extends Module
                     $ids = explode(',', $row['subscribe_ids']);
                     foreach ($ids as $id) {
                         if ($row['subscribe_ids'] == '0' || trim($id) === Tools::getValue("id_product")) {
    -                        $result2 = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . Tools::getValue("id_product") . ' AND id_customer = ' . $this->context->customer->id);
    +                        $result2 = Db::getInstance()->ExecuteS('SELECT * FROM `' . _DB_PREFIX_ . 'aftermail_queue` ' . 'WHERE id_product = ' . (int)Tools::getValue("id_product") . ' AND id_customer = ' . $this->context->customer->id);
                             if (empty($result2)) {
                                 // 2. get frequencies
                                 $frequencies = explode(',', $row['reminder_frequency']);
    

**Other recommendations**

*   It’s **highly recommended to upgrade the module** to the latest version or to **delete** the module if unused.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2022-09-10

Discovery of the vulnerability by Profileo.com

2022-09-10

Contacting the author of the module to notify him about the discovery

2022-09-10

The author confirmed the vulnerability and released the version 2.2.1

2023-04-02

Contact the author back to clarify changes in the published version

2023-04-21

Receiving the CVE ID from Mitre

2023-08-20

Contact PrestaShop to clarify changes in the published version

2023-08-21

Contact the author to notify him about the upcoming publication

2023-10-10

Publication of this security advisory

**Links**

*   AfterMail Module
*   National Vulnerability Database CVE-2023-30154

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-30154: [CVE-2023-30154] Improper neutralization of SQL parameters in AfterMail (aftermailpresta) module from Shoprunners for PrestaShop

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

Note (2022) : minizip source are avaiable on the contrib/zlib github page. There is also minizip-ng, a rewritten library with more feature (like zlib-ng, a reworked and faster zlib)

. You'll also find SmartVersion with source code.

Click to download Minizip (zip/unzip) package for zLib version 1.01h, with minor bugfixes, or, better, 1.1 (with zip64 support).

This package enables to extract files from a .zip archive file. It is compatible with PKZip 2.04g, WinZip, InfoZip, MimarSinan Codex Suite 2002 tools, and compatible sofware.  
It runs both under Linux and Windows, and probably other systems too. Encryption, multi-volume Zip files (span), and old compression methods used by old PKZip 1.x are not supported.  
See appnote-011203-iz.zip or appnote-iz-latest.zip for the specification of ZIP format (or appnote-981119-iz.zip for older versions). Pkware provides also probdesc.zip and an HTML page with the specification.

**What is Minizip (Zip/Unzip)?**

The Zlib library allows to deflate compressed files and to create gzip (.gz) files. Zlib is free software and small.

An archive in ZIP format can contain several files compressed with this method, while a .gz archive can containt only one file. It is a very popular format, that is why I have written a package for reading files compressed within a Zip archive.

**How to get the Minizip package**

You need the source code of Zlib (**zlib125.zip** or **zlib-1.2.5.tar.gz**. For previous version, get zlib114.zip, or by FTP zlib114.zip).  
Now, with version 1.23,1.24,1.25 and 1.14 of zLib, the Minizip library is inlucded in the contrib/minizip directory.

In **zlib125dll.zip** there is the Win32 Windows DLL of my Windows DLL named Zlibwapi.dll that contains both zLib and Minilib.  
For previous version, in zlib114dll.zip you will find Windows DLL (Win16 and Win32) and static library (Win32) of Zlib 1.14 WITH zip/unzip package.  
Please note I have added in buildzlib114dll.zip the version of zip.c/unzip.c (0.21).  
You must read zip.h and unzip.h, which contains the documentation of the zip and unzip functions.

March 2003: you can get version 0.21 with support of custom I/O functions to read and write zip files, and raw I/O (in order to duplicate files from one zip archive to another without uncompressing nor compressing). There is also a modified version of unzip with uncrypting, written by Terry Thorsen).  
You can also get version 0.22e with crypting/uncrypting (do a #define NOCRYPT if you don't need it) and adding a file to an existing Zip archive.

15 March 2010: You can now download version 1.01h, with minor bugfixes, or, better, 1.1 with zip64 support.  
Justin Fletcher wrote a very simple implementation of a memory access method for the ioapi code (ioapi\_mem\_c.zip). Ivan A. Krestinin wrote a small example of how delete a file from zip archive. This example is not fully tested (memory leaks are possible if the source archive is corrupt), but it might help you.

**Unzipping files**

The source code is made of only two files: unzip.h and unzip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

miniunz.c is a very simple, but real unzip program. It can display files contained in a Zip archive or extract them.

**Zipping files**

The source code is made of only two files: zip.h and zip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

minizip.c is a very simple, but real zip program.

**A C++ Wrapper**

Daniel Godson made a C++ wrapper to the zip/unzip library. Another can be found at Troels page.

**A full MFC sample**

In the CodeGuru developers site, there is an excellent example, 'Implementing a "Send as ZIP-File" command in Scribble' written by Stefan Kuhr. Unfortunately, this example is not built with the good, standard zLib DLL (see the DLL page). Download mapizip\_demo\_gooddll.zip for a fixed project which uses the good DLL.

**Extension to Minizip**

Troels K. worked hard on the Minizip library. He has made several add-on, including a proposal for unzAttach/unzDetach.

**Other examples**

Jukka Pihl wrote mod\_ziplook Apache module. It enables to view zip archive files directly in Apache without extracting them to the filesystem. It also uses HTTP compression (supported by W3C, like Microsoft IIS, Apache mod\_deflate and examples in python and jython. Bashuman Deb wrote a FTP paging Support for miniunz.

**Miscellaneous**

The Gilles vollant software forum contain a section about Minizip.

Please also email me for feedback.

**Future of ZIP file format**

It seems that the ZIP file format will changes. The web sites PCWorld (and this new article), IDG, SlashDot contain information about ZIP's future. PkWare site contains a new specification, InfoZip has also a ZIP specification. WinZip specifies also new encryption. The PKWare specification mentions a new BZip2 compression method (there is a "zlib-like" library for BZip2 compression).

_Latest revision : 2010-03-15_

CVE-2023-45853: Minizip: Zip and UnZip additionnal library

In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.

CVE-2023-45852

Farmbot-Web-App is a web control interface for the Farmbot farm automation platform. An SQL injection vulnerability was found in FarmBot's web app that allows authenticated attackers to extract arbitrary data from its database (including the user table). This issue may lead to Information Disclosure. This issue has been patched in version 15.8.4. Users are advised to upgrade. There are no known workarounds for this issue.

**Summary**

An SQL injection vulnerability was found in FarmBot's web app that allows authenticated attackers to extract arbitrary data from its database (including the user table).

**Impact**

This issue may lead to Information Disclosure.

CVE-2023-45674: SQL injection vulnerability in Farmbot-Web-App

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.

**Summary**

I spotted two instances of user input with unchecked length at the following locations in the Zephyr WiFi shell module source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi\_shell.c#L334-L335  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi\_shell.c#L355-L356

**Details**

Unchecked user input length in /subsys/net/l2/wifi/wifi\_shell.c:

static int \_\_wifi\_args\_to\_params(size\_t argc, char \*argv\[\],
				struct wifi\_connect\_req\_params \*params)
{
	char \*endptr;
	int idx \= 1;

	if (argc < 1) {
		return \-EINVAL;
	}

	/\* SSID \*/
	params\->ssid \= argv\[0\]; /\* VULN: unchecked length (should be max 32) \*/
	params\->ssid\_length \= strlen(params\->ssid);

	/\* Channel (optional) \*/
	if ((idx < argc) && (strlen(argv\[idx\]) <= 3)) {
...

	/\* PSK (optional) \*/
	if (idx < argc) {
		params\->psk \= argv\[idx\]; /\* VULN: unchecked length (should be min 8, max 64) \*/
		params\->psk\_length \= strlen(argv\[idx\]);
		/\* Defaults \*/
		params\->security \= WIFI\_SECURITY\_TYPE\_PSK;
		params\->mfp \= WIFI\_MFP\_OPTIONAL;
		idx++;

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

The unchecked inputs may cause buffer overflows in other locations, the impact of which could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main (v3.5 development cycle) #60537
*   3.4 #61383

CVE-2023-4257: Unchecked user input length in the Zephyr WiFi shell module

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Source

CVE