| タイトル | VINADES.,JSC NukeViet 4.5.06 Internal File Read |
|---|
| 説明 | Description
There is a file read vulnerability affecting [/nukeviet/admin/index.php?language=en&nv=upload] that allows site moderators to load files from URLs. There is no security in place to prevent attackers from loading data into Nukeviet from internal web services.
A malicious attacker with very limited site moderation privileges can exploit this vulnerability by uploading internal files such as archives or documents into Nukeviet and then download them into their own machines and access them.
One minor issue that limits this attack is that unless text/html is allowed to be loaded (disabled by default), we can only load media files (images, videos, audio), archives (tar, zip) or documents (pdf, docx, doc). The “Upload” functionality allows us to upload these types of files by their URL. Upload in this sense, performs a download of the resource first and then uploads it to NukeViet.
Reproduce
To reproduce, you must have an account with at least “Module Administrator” privileges. The only module you need access to is “banners" or any other module that allows you to upload files.
Login to that account through admin panel:
/nukeviet/admin/
Navigate to [/nukeviet/admin/index.php?language=en&nv=upload] endpoint, and from list of directories select “banners”.
Click on “Select upload mode” blue button > Select Remote upload
Enter an internal URL, for example:
http://127.0.0.1:8000/linkedin.tar
Add a note for the image and click “Upload file” button.
This will download the image from the internal resource and make it available to you for download. |
|---|
| ソース | ⚠️ https://hkohi.ca/vulnerability/19 |
|---|
| ユーザー | 0xHamy (UID 88518) |
|---|
| 送信 | 2025年07月29日 20:32 (9 月 ago) |
|---|
| モデレーション | 2025年08月08日 22:13 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319295 [Vinades NukeViet 迄 4.5.06 Module index.php?language=en&nv=upload 特権昇格] |
|---|
| ポイント | 20 |
|---|