界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
Android Misconfiguration: Zip Entry Overwrite Protection Disabled
Abstract
Zip Entry Overwrite Protection 已停用。Zip Entry Overwrite Protection 透過提供 Zip 檔案項目名稱的驗證功能來防止 Zip Path Traversal 弱點。
Explanation
當惡意動作執行者可以在指定 Zip 檔案中指定 Zip 檔案項目名稱時,就會出現 Zip Path Traversal 弱點。當惡意指定 Zip 檔案項目名稱時,攻擊者可以在擴充對應的 Zip 檔案時覆寫關鍵系統檔案的內容。攻擊者可能會使用此類路徑穿越習慣用法 (例如
範例 1:以下程式碼將停用 Zip Entry Overwrite Protection。
../ 和 /) 來存取不在程式範圍內的系統檔案。依預設,瞄準 Android 14 及更高版本的 Android 應用程式可能會在 Zip 檔案解壓縮過程中偵測到 ../ 和 / 等習慣用法時法時拋出異常。此安全功能可以被覆寫或完全停用。範例 1:以下程式碼將停用 Zip Entry Overwrite Protection。
...
dalvik.system.ZipPathValidator.clearCallback();
...
References
[1] Zip Path Traversal
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.semantic.java.android_misconfiguration_zip_entry_overwrite_protection_disabled