Skip to main content

zip-symlink-vulnerability

Some applications allow users to upload and extract Zip files. A Zip archive can contain symbolic links. A symbolic link is a file that points to another file on the system instead of storing real data.

If the application extracts the archive without proper validation, the symbolic link may point to sensitive files outside the intended directory. This allows attackers to access files they should not be able to read.

Why this is dangerous

When the Zip file is extracted, the symbolic link is created on the server.
If the attacker can then access the extracted content through the web application, the symbolic link may give access to:

  • /etc/passwd
  • configuration files
  • private keys
  • environment variables
  • other sensitive data

This leads to arbitrary file disclosure.

Attack flow

First create a symbolic link on your machine. This file will point to the sensitive file.

ln -s /etc/passwd passwd_link

This creates a file passwd_link that actually points to /etc/passwd.

Now zip this symbolic link.

### Important: you must preserve the symlink when compressing.
zip --symlinks evil.zip passwd_link
zip -y evil.zip passwd_link ## OR

The -y or --symlinks option ensures the symbolic link is stored as a link, not the file content.

Upload evil.zip where the application allows archive uploads and extraction.

Common vulnerable features:

  • Profile picture upload
  • Document upload
  • Backup restore
  • File import systems
  • CMS plugins