Givanz Vvveb Server-Side Request Forgery Vulnerability in Drag-and-Drop Editor Component

A critical server-side request forgery (SSRF) vulnerability has been identified in Givanz Vvveb versions through 1.0.5. The issue arises in the Drag-and-Drop Editor component, specifically within the file '/vadmin123/?module=editor/editor'. The vulnerability allows remote attackers to manipulate the 'url' argument, leading to unauthorized internal port scanning. This endpoint is accessible to users with 'Editor' privileges, who can modify posts or pages.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling internal port scanning and potentially accessing internal services.

Reproduction

To reproduce this vulnerability, log in as an editor and navigate to the '/vadmin123/index.php?module=content/posts&type=post' endpoint. Open a post in 'Design' mode and the editor will generate a URL similar to 'http://<your-ip>/vadmin123/?module=editor/editor&name=<post-name>&url=//<your-ip>/hello-world-4'. To exploit the SSRF vulnerability, change the 'url' parameter to point to an internal port, such as 'http://<your-ip>:80/'. This will access the Vvveb index page. For port scanning, use a non-existent port like 9999, which will trigger a browser error. To confirm the scan, set up a dummy PHP server on an open port and send a request through the vulnerable endpoint, which will be logged by the PHP server.

Remediation

Users are advised to upgrade to Givanz Vvveb version 1.0.6, which addresses this vulnerability.