| 제목 | VINADES.,JSC NukeViet 4.5.06 Internal File Read |
|---|
| 설명 | Description
There is a file read vulnerability affecting [/nukeviet/admin/index.php?language=en&nv=upload] that allows site moderators to load files from URLs. There is no security in place to prevent attackers from loading data into Nukeviet from internal web services.
A malicious attacker with very limited site moderation privileges can exploit this vulnerability by uploading internal files such as archives or documents into Nukeviet and then download them into their own machines and access them.
One minor issue that limits this attack is that unless text/html is allowed to be loaded (disabled by default), we can only load media files (images, videos, audio), archives (tar, zip) or documents (pdf, docx, doc). The “Upload” functionality allows us to upload these types of files by their URL. Upload in this sense, performs a download of the resource first and then uploads it to NukeViet.
Reproduce
To reproduce, you must have an account with at least “Module Administrator” privileges. The only module you need access to is “banners" or any other module that allows you to upload files.
Login to that account through admin panel:
/nukeviet/admin/
Navigate to [/nukeviet/admin/index.php?language=en&nv=upload] endpoint, and from list of directories select “banners”.
Click on “Select upload mode” blue button > Select Remote upload
Enter an internal URL, for example:
http://127.0.0.1:8000/linkedin.tar
Add a note for the image and click “Upload file” button.
This will download the image from the internal resource and make it available to you for download. |
|---|
| 원천 | ⚠️ https://hkohi.ca/vulnerability/19 |
|---|
| 사용자 | 0xHamy (UID 88518) |
|---|
| 제출 | 2025. 07. 29. PM 08:32 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 08. PM 10:13 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319295 [Vinades NukeViet 까지 4.5.06 Module index.php?language=en&nv=upload 권한 상승] |
|---|
| 포인트들 | 20 |
|---|