CVE-2021-21706 Overview
CVE-2021-21706 is a path traversal vulnerability affecting PHP's ZipArchive::extractTo function on Microsoft Windows systems. The vulnerability allows an attacker to craft a malicious ZIP file that, when extracted using the vulnerable PHP function, can write files outside the intended target directory. This could lead to unauthorized file creation or overwriting of existing files, potentially enabling further attacks such as code execution or system compromise.
Critical Impact
Attackers can bypass directory restrictions to create or overwrite files anywhere on the system where PHP has write permissions, potentially leading to web shell deployment or configuration file tampering.
Affected Products
- PHP versions 7.3.x below 7.3.31
- PHP versions 7.4.x below 7.4.24
- PHP versions 8.0.x below 8.0.11
- Microsoft Windows (as the operating system environment)
Discovery Timeline
- 2021-10-04 - CVE CVE-2021-21706 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21706
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal) and CWE-24 (Path Traversal: '../filedir'). The flaw exists specifically in the Windows implementation of PHP's ZipArchive::extractTo method, which fails to properly sanitize file paths contained within ZIP archives before extraction.
When a PHP application uses ZipArchive::extractTo to decompress a ZIP file on Windows, the function does not adequately validate the file paths stored within the archive. An attacker can craft a ZIP file containing entries with path traversal sequences (such as ../ or absolute paths) that escape the intended extraction directory. The vulnerability requires user interaction, as the malicious ZIP file must be processed by a vulnerable PHP application.
The attack is network-accessible, meaning remote attackers can exploit this vulnerability by uploading or providing malicious ZIP files to vulnerable applications. While the vulnerability does not directly impact confidentiality or availability, it poses a significant integrity risk as it enables unauthorized file writes.
Root Cause
The root cause of this vulnerability lies in insufficient path validation within the ZipArchive::extractTo function when handling ZIP entry filenames on Windows systems. The function fails to properly normalize and validate file paths before writing extracted content to the filesystem, allowing specially crafted archive entries to escape the designated extraction directory.
Windows-specific path handling behaviors, including support for alternative path separators and potential encoding issues, contribute to the exploitation surface of this vulnerability.
Attack Vector
The attack requires an attacker to create a malicious ZIP archive containing files with crafted path names designed to escape the target extraction directory. The attack flow is as follows:
- Attacker creates a ZIP file with entries containing path traversal sequences (e.g., ../../webroot/shell.php)
- Attacker delivers the malicious ZIP file to a vulnerable PHP application (via file upload, URL download, etc.)
- The PHP application calls ZipArchive::extractTo to extract the archive contents
- Due to improper path validation, files are written outside the intended extraction directory
- Attacker gains the ability to create or overwrite files subject to OS permissions
The vulnerability could be chained with other attacks to achieve remote code execution, such as overwriting web-accessible PHP files or configuration files.
Detection Methods for CVE-2021-21706
Indicators of Compromise
- Unexpected files appearing outside designated upload or extraction directories
- Web shells or suspicious PHP files in web-accessible locations
- Modified configuration files with unexpected timestamps
- Log entries showing ZIP extraction operations followed by anomalous file access patterns
Detection Strategies
- Monitor PHP application logs for ZipArchive::extractTo operations, particularly those processing user-supplied files
- Implement file integrity monitoring (FIM) on critical directories to detect unauthorized file creation or modification
- Deploy web application firewalls (WAF) with rules to inspect uploaded ZIP files for path traversal sequences
- Review PHP application code for usage of ZipArchive::extractTo without proper input validation
Monitoring Recommendations
- Enable detailed logging for file system operations on Windows servers running PHP
- Monitor for creation of new PHP files in web-accessible directories
- Set up alerts for file modifications outside expected directories during ZIP extraction operations
- Implement network-level monitoring for large file uploads that may contain malicious ZIP archives
How to Mitigate CVE-2021-21706
Immediate Actions Required
- Upgrade PHP to version 7.3.31, 7.4.24, or 8.0.11 or later depending on your branch
- Audit PHP applications for usage of ZipArchive::extractTo and implement additional path validation
- Restrict file system permissions for the PHP process to minimize impact of potential exploitation
- Consider disabling ZIP upload functionality temporarily until patches are applied
Patch Information
PHP has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- PHP 7.3.x: Upgrade to 7.3.31 or later
- PHP 7.4.x: Upgrade to 7.4.24 or later
- PHP 8.0.x: Upgrade to 8.0.11 or later
For more information, refer to the PHP Bug Report #81420 and the NetApp Security Advisory NTAP-20211029-0007.
Workarounds
- Implement application-level path validation before calling ZipArchive::extractTo to reject entries containing path traversal sequences
- Use a whitelist approach to validate extracted filenames against expected patterns
- Extract files to an isolated temporary directory with restricted permissions, then move validated files to their final destination
- Consider using alternative archive handling libraries with built-in path traversal protections
# PHP upgrade example on Debian/Ubuntu systems
sudo apt-get update
sudo apt-get install php7.4=7.4.24-* # Or appropriate version for your installation
# Verify PHP version after upgrade
php -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
