NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
Summary
Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g., config.php) by injecting a crafted attach parameter, rendering the application inoperable.
Affected Component
modules/comment/admin/edit.php
Root Cause
In the vulnerable version, the attach parameter received via HTTP POST was not validated before being processed:
// Vulnerable code (before fix)
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}substr() strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store ../../ directly into the database.
When the comment is subsequently deleted, del.php reads attach from the database and calls:
nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);nv_deletefile() resolves the path via realpath() and only verifies the result is within NV_ROOTDIR — it does not restrict deletion to the uploads directory — allowing deletion of any file in the installation root.
Steps to Reproduce
- Log in as an administrator and navigate to Admin → Comment Management.
- Select any comment and open the Edit form.
- Intercept the POST request and set the
attachparameter to:
aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php*(26 padding characters + traversal path)*
- Submit the request. The value
../../config.phpis now stored in the database. - Delete the comment.
config.phpis deleted from the application root. - The application immediately redirects to the install wizard, confirming the file has been removed.
Impact
- Any file readable by the web server process within
NV_ROOTDIRcan be permanently deleted. - Deleting
config.phpcauses a full application outage and exposes the install wizard.
Severity
CVSS v3.1 Base Score: 8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H| Metric | Value | |--------|-------| | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | High (Admin required) | | User Interaction | None | | Scope | Changed | | Confidentiality | None | | Integrity | High | | Availability | High |
Fix
Added nv_is_file() validation before processing the attach value. This function uses realpath() and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.
// Fixed code
$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
$attach = '';
}