WinRAR 4.20 is vulnerable to ZIP file name spoofing. Please upgrade to WinRAR 5.00 release or later, which are not vulnerable.
As reported by ↴
, it is possible to create a specially crafted ZIP archive, so WinRAR 4.11 and 4.20 will display one archived file name while browsing archive contents, but assign another name to unpacked file. It leads to possible security risks for WinRAR 4.x users.
We investigated this issue and found that all WinRAR 5.x versions beginning from WinRAR 5.00 release are not affected, so we recommend WinRAR 4.x users to upgrade. If you still need to use WinRAR 4.20 for some reason, avoid opening files directly from ZIP archives and carefully check names of unpacked files before opening them.
We noticed a claim that WinRAR 5.10 is vulnerable:
copied by some news sites. We asked intelcrawler.com owners to provide a proof of this claim, but did not receive any response. According to our investigation, WinRAR 5.00, 5.01 and 5.10 do not have this issue.
Also both sites listed above mention that "WINRAR adds several properties of its own" to ZIP format, which is not true. Data which they report as WinRAR specific property is a standard ZIP central directory record, mandatory for any valid ZIP archive.
RAR archives and archives of other formats are not affected by this vulnerability.