NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
🔗 CVE IDs covered (1)
📋 Description
Summary
Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g., config.php) by injecting a crafted attach parameter, rendering the application inoperable.
Affected Component
modules/comment/admin/edit.php
Root Cause
In the vulnerable version, the attach parameter received via HTTP POST was not validated before being processed:
// Vulnerable code (before fix)
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}
substr() strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store ../../<target> directly into the database.
When the comment is subsequently deleted, del.php reads attach from the database and calls:
nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);
nv_deletefile() resolves the path via realpath() and only verifies the result is within NV_ROOTDIR — it does not restrict deletion to the uploads directory — allowing deletion of any file in the installation root.
Steps to Reproduce
- Log in as an administrator and navigate to Admin → Comment Management.
- Select any comment and open the Edit form.
- Intercept the POST request and set the
attachparameter to:
aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php
(26 padding characters + traversal path)
- Submit the request. The value
../../config.phpis now stored in the database. - Delete the comment.
config.phpis deleted from the application root. - The application immediately redirects to the install wizard, confirming the file has been removed.
Impact
- Any file readable by the web server process within
NV_ROOTDIRcan be permanently deleted. - Deleting
config.phpcauses a full application outage and exposes the install wizard.
Severity
CVSS v3.1 Base Score: 8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
| Metric | Value | |--------|-------| | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | High (Admin required) | | User Interaction | None | | Scope | Changed | | Confidentiality | None | | Integrity | High | | Availability | High |
Fix
Added nv_is_file() validation before processing the attach value. This function uses realpath() and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.
// Fixed code
$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
$attach = '';
}
🎯 Affected products1
- composer/nukeviet/nukeviet:< 4.6.00