Vvveb 1.0.5 | Admin password bruteforce

Basic Information

Software Type	Web App
Software Name	Vvveb
Affected Version	1.0.5
Software Vendor	Vvveb
Software Link	https://github.com/givanz/Vvveb
Severity	Critical
CVSS Score	9.8
Affected Assets	100+
Date of Discovery	Jan 3rd, 2025

Description

Vvveb's can be configured to set a custom path for admin panel, in my case admin panel can be access from the following endpoint:
/vadmin123
This endpoint is vulnerable because there is no rate-limiting at the core of Vvveb.

Reproduce

To reproduce this issue, send a request with a correct email and an incorrect password:

POST /vadmin123/index.php?module=user/login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------370495896418792897833957952384
Content-Length: 561
Origin: http://127.0.0.1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

-----------------------------370495896418792897833957952384
Content-Disposition: form-data; name="csrf"

XXYqfXvJQl688Unv
-----------------------------370495896418792897833957952384
Content-Disposition: form-data; name="redir"

/vadmin123/
-----------------------------370495896418792897833957952384
Content-Disposition: form-data; name="user"

[email protected]
-----------------------------370495896418792897833957952384
Content-Disposition: form-data; name="password"

12345678901
-----------------------------370495896418792897833957952384--

When you send an incorrect password, you get the following response:
Authentication failed, wrong email or password!
With a correct set of credentials, you get a 302 redirection response going to the following location:
Login successful!

These two responses can be used as fingerprints to differentiate between a correct and incorrect password when performing bruteforce with a large password list.
The following exploit demonstrate a successful bruteforce with a list of 200 passwords but it can be tweaked to read passwords from a list and try them:
https://gist.github.com/0xHamy/3bc2833276ee196cfffa64601d3439b9

Proof of Concept (PoC) Video

PoC Exploit

https://gist.github.com/0xHamy/3bc2833276ee196cfffa64601d3439b9

Mitigation

Add rate limiting and captcha.

Patch

Vvveb added a failed logins table with an hourly count of failed attempts, the account is locked after 10 attempts for the current hour.

Posted on: January 10, 2025 09:17 PM