Summary
Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g., config.php) by injecting a crafted attach parameter, rendering the application inoperable.
Affected Component
modules/comment/admin/edit.php
Root Cause
In the vulnerable version, the attach parameter received via HTTP POST was not validated before being processed:
// Vulnerable code (before fix)
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}
substr() strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store ../../<target> directly into the database.
When the comment is subsequently deleted, del.php reads attach from the database and calls:
nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);
nv_deletefile() resolves the path via realpath() and only verifies the result is within NV_ROOTDIR — it does not restrict deletion to the uploads directory — allowing deletion of any file in the installation root.
Steps to Reproduce
- Log in as an administrator and navigate to Admin → Comment Management.
- Select any comment and open the Edit form.
- Intercept the POST request and set the
attach parameter to:
aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php
(26 padding characters + traversal path)
- Submit the request. The value
../../config.php is now stored in the database.
- Delete the comment.
config.php is deleted from the application root.
- The application immediately redirects to the install wizard, confirming the file has been removed.
Impact
- Any file readable by the web server process within
NV_ROOTDIR can be permanently deleted.
- Deleting
config.php causes a full application outage and exposes the install wizard.
Severity
CVSS v3.1 Base Score: 8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
| Metric |
Value |
| Attack Vector |
Network |
| Attack Complexity |
Low |
| Privileges Required |
High (Admin required) |
| User Interaction |
None |
| Scope |
Changed |
| Confidentiality |
None |
| Integrity |
High |
| Availability |
High |
Fix
Added nv_is_file() validation before processing the attach value. This function uses realpath() and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.
// Fixed code
$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
$attach = '';
}
References
Summary
Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g.,
config.php) by injecting a craftedattachparameter, rendering the application inoperable.Affected Component
modules/comment/admin/edit.phpRoot Cause
In the vulnerable version, the
attachparameter received via HTTP POST was not validated before being processed:substr()strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for/nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store../../<target>directly into the database.When the comment is subsequently deleted,
del.phpreadsattachfrom the database and calls:nv_deletefile()resolves the path viarealpath()and only verifies the result is withinNV_ROOTDIR— it does not restrict deletion to the uploads directory — allowing deletion of any file in the installation root.Steps to Reproduce
attachparameter to:(26 padding characters + traversal path)
../../config.phpis now stored in the database.config.phpis deleted from the application root.Impact
NV_ROOTDIRcan be permanently deleted.config.phpcauses a full application outage and exposes the install wizard.Severity
CVSS v3.1 Base Score: 8.7 (High)
Fix
Added
nv_is_file()validation before processing theattachvalue. This function usesrealpath()and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.References