NukeViet | Internal File Read
Information
| Software Type | Web App |
|---|---|
| Software Name | NukeViet |
| Affected Version | 4.5.06 |
| Software Vendor | VINADES.,JSC |
| Software Link | https://github.com/nukeviet/nukeviet |
| Severity | Medium |
| CVSS Score | 6.4 |
| CVE Link | N/A |
| Affected Assets | 3588+ |
| Date of Discovery | Jan 18th, 2025 |
| PoC Exploit | N/A |
Description
There is a file read vulnerability affecting [/nukeviet/admin/index.php?language=en&nv=upload] that allows site moderators to load files from URLs. There is no security in place to prevent attackers from loading data into Nukeviet from internal web services.
A malicious attacker with very limited site moderation privileges can exploit this vulnerability by uploading internal files such as archives or documents into Nukeviet and then download them into their own machines and access them.
One minor issue that limits this attack is that unless text/html is allowed to be loaded (disabled by default), we can only load media files (images, videos, audio), archives (tar, zip) or documents (pdf, docx, doc). The “Upload” functionality allows us to upload these types of files by their URL. Upload in this sense, performs a download of the resource first and then uploads it to NukeViet.
Reproduce
To reproduce, you must have an account with at least “Module Administrator” privileges. The only module you need access to is “banners" or any other module that allows you to upload files.
Login to that account through admin panel:
/nukeviet/admin/
Navigate to [/nukeviet/admin/index.php?language=en&nv=upload] endpoint, and from list of directories select “banners”.
Click on “Select upload mode” blue button > Select Remote upload
Enter an internal URL, for example:
http://127.0.0.1:8000/linkedin.tar
Add a note for the image and click “Upload file” button.
This will download the image from the internal resource and make it available to you for download.
Proof of Concept (PoC) Video
Posted on: May 24, 2025 02:28 AM