PA 19.00.51 - bug / unwanted code execution



  • Hi.

    I have found out that, if there is a folder inside an archive and the user extracts it, there is potential unwanted code execution in the function “open file location”, provided the name of the folder is the same as the name of the exe file in the parent directory.

    If in the same directory of the extracted folder / subfolder there is an exe with the same name as the extracted directory, if ‘open folder when completed’ function is checked, PowerArchiver will open the exe in the parent directory, named the same as the folder being extracted, instead of opening the actual subfolder, named the same as the .EXE in the parent folder.

    To ease the confusion of my words, I have made a youtube video demonstrating this PoC:

    Youtube link (unlisted) with PoC

    Thank you!

    For any questions please contact me and I will try to explain more if applicable.


  • conexware

    @2Flo please try with following release:
    https://forums.powerarchiver.com/topic/6189/fast-ring-powerarchiver-2019-19-00-51-54-57

    and let us know if this works fine… also send us an email to support@conexware.com to get free license for PA 2019 Toolbox, for important bug discovery. Thank you!


  • conexware

    @2Flo
    Thanks very much for the thorough details. Was able to reproduce this immediately and have logged it in for fixing.


  • conexware

    @2Flo please try with following release:
    https://forums.powerarchiver.com/topic/6189/fast-ring-powerarchiver-2019-19-00-51-54-57

    and let us know if this works fine… also send us an email to support@conexware.com to get free license for PA 2019 Toolbox, for important bug discovery. Thank you!



  • @spwolf thank you so much for your contribution as well!

    I actually do have a lifetime license for PA Toolbox that I’ve bought from your website so it would not be fair to profit for a second license in this case. The fact that the bug was worked on to be solved is more important for me.

    I will test it later today or tomorrow and let you know since I’m not home right now. And I will provide all the relevant details.


  • conexware

    @2Flo said in PA 19.00.51 - bug / unwanted code execution:

    @spwolf thank you so much for your contribution as well!

    I actually do have a lifetime license for PA Toolbox that I’ve bought from your website so it would not be fair to profit for a second license in this case. The fact that the bug was worked on to be solved is more important for me.

    I will test it later today or tomorrow and let you know since I’m not home right now. And I will provide all the relevant details.

    if you want, you can gift this license to someone as well.

    Please check it out and let us know. Thanks!



  • @spwolf thank you so much!

    Later today i will confirm whether the bug is fixed first and i will give out the license as a gift.

    Sharing is caring 🙂

    Stay tuned for future update soon.



  • @spwolf

    I have only one question about the license (to know what to tell the person i will gift it to).

    Does it cover future program updates and upgrades or only the minor updates for the latest major version?

    Thank you!



  • @spwolf I just tested it

    Extracted it 4 more depths inside folders (7 folders in total) than the last try, which was 3 folders in depth. Same settings

    The program was not executed. It seems that the fix has worked 😃

    Thank you all for your involvement in fixing this bug!


Log in to reply