| Название | VINADES.,JSC NukeViet 4.5.06 Internal File Read |
|---|
| Описание | Description
There is a file read vulnerability affecting [/nukeviet/admin/index.php?language=en&nv=upload] that allows site moderators to load files from URLs. There is no security in place to prevent attackers from loading data into Nukeviet from internal web services.
A malicious attacker with very limited site moderation privileges can exploit this vulnerability by uploading internal files such as archives or documents into Nukeviet and then download them into their own machines and access them.
One minor issue that limits this attack is that unless text/html is allowed to be loaded (disabled by default), we can only load media files (images, videos, audio), archives (tar, zip) or documents (pdf, docx, doc). The “Upload” functionality allows us to upload these types of files by their URL. Upload in this sense, performs a download of the resource first and then uploads it to NukeViet.
Reproduce
To reproduce, you must have an account with at least “Module Administrator” privileges. The only module you need access to is “banners" or any other module that allows you to upload files.
Login to that account through admin panel:
/nukeviet/admin/
Navigate to [/nukeviet/admin/index.php?language=en&nv=upload] endpoint, and from list of directories select “banners”.
Click on “Select upload mode” blue button > Select Remote upload
Enter an internal URL, for example:
http://127.0.0.1:8000/linkedin.tar
Add a note for the image and click “Upload file” button.
This will download the image from the internal resource and make it available to you for download. |
|---|
| Источник | ⚠️ https://hkohi.ca/vulnerability/19 |
|---|
| Пользователь | 0xHamy (UID 88518) |
|---|
| Представление | 29.07.2025 20:32 (9 месяцы назад) |
|---|
| Модерация | 08.08.2025 22:13 (10 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 319295 [Vinades NukeViet до 4.5.06 Module index.php?language=en&nv=upload эскалация привилегий] |
|---|
| Баллы | 20 |
|---|