Vvveb Stored Cross-Site Scripting Vulnerability Allowing Backdoor Creation and Remote Code Execution

A stored cross-site scripting vulnerability has been identified in Vvveb versions prior to 1.0.8.1. This vulnerability allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript. The issue arises from a bypass of MIME type validation, enabling the renaming of uploaded files to executable extensions. Attackers can exploit this by adding a GIF89a header to HTML or JavaScript payloads to evade upload restrictions, rename the file to .html, and execute harmful scripts in an administrator's browser session. This could lead to the creation of backdoor accounts and the upload of malicious plugins for remote code execution.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's session. This could be used to create a backdoor account with full privileges, which could then be used to upload malicious PHP plugins that execute code on the server.

Reproduction

To reproduce this vulnerability, an account with media upload and rename permissions is needed. After logging in, upload a GIF file containing malicious HTML or JavaScript payloads, ensuring to prepend the file with a GIF89a header to bypass MIME type validation. Once uploaded, rename the file to have a .html extension. When an administrator accesses the renamed file, the embedded JavaScript will execute, leading to the creation of a backdoor account.

Remediation

Users are advised to update to Vvveb version 1.0.8.1 or later, where this vulnerability has been addressed.