GHSA-c9xg-64p9-f2jj
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
Details
## Summary
Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g., `config.php`) by injecting a crafted `attach` parameter, rendering the application inoperable.
## Affected Component
`modules/comment/admin/edit.php`
## Root Cause
In the vulnerable version, the `attach` parameter received via HTTP POST was not validated before being processed:
```php // Vulnerable code (before fix) $attach = $nv_Request->get_string('attach', 'post', '', true); if (!empty($attach)) { $attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/')); } ```
`substr()` strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for `/nukeviet/uploads/comment/`). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store `../../<target>` directly into the database.
When the comment is subsequently deleted, `del.php` reads `attach` from the database and calls:
```php nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']); ```
`nv_deletefile()` resolves the path via `realpath()` and only verifies the result is within `NV_ROOTDIR` — it does **not** restrict deletion to the uploads directory — allowing deletion of any file in the installation root.
## Steps to Reproduce
1. Log in as an administrator and navigate to **Admin → Comment Management**. 2. Select any comment and open the Edit form. 3. Intercept the POST request and set the `attach` parameter to:
``` aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php ```
*(26 padding characters + traversal path)*
4. Submit the request. The value `../../config.php` is now stored in the database. 5. Delete the comment. `config.php` is deleted from the application root. 6. The application immediately redirects to the install wizard, confirming the file has been removed.
## Impact
- Any file readable by the web server process within `NV_ROOTDIR` can be permanently deleted. - Deleting `config.php` causes a full application outage and exposes the install wizard.
## Severity
**CVSS v3.1 Base Score: 8.7 (High)**
``` CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H ```
| Metric | Value | |--------|-------| | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | High (Admin required) | | User Interaction | None | | Scope | Changed | | Confidentiality | None | | Integrity | High | | Availability | High |
## Fix
Added `nv_is_file()` validation before processing the `attach` value. This function uses `realpath()` and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.
```php // Fixed code $attach = $nv_Request->get_string('attach', 'post', ''); if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) { $attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/')); } else { $attach = ''; } ```
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.6.00 composer require nukeviet/nukeviet:^4.6.00