Vvveb Hard-Coded Credentials Vulnerability Leading to phpMyAdmin Database Compromise

A hard-coded credentials vulnerability has been identified in Vvveb versions prior to 1.0.8.2. The issue resides in the docker-compose-apache.yaml file, where phpMyAdmin is configured with default credentials that allow unauthenticated access to the phpMyAdmin container. This misconfiguration enables attackers to connect to phpMyAdmin and gain unrestricted read and write access to the Vvveb database. Sensitive data at risk includes administrator password hashes, customer personally identifiable information, and order details, all of which could facilitate account takeovers and unauthorized data manipulation.

Impact

Exploitation of this vulnerability leads to a complete compromise of the Vvveb database through unauthorized access via phpMyAdmin. This includes access to all database tables and rows, with specific mention of administrator and customer bcrypt password hashes, which could be cracked and reused. Additionally, once an attacker gains access to an administrator account, they could exploit other vulnerabilities in Vvveb to achieve remote code execution.

Reproduction

The vulnerability can be reproduced by deploying Vvveb using the default docker-compose-apache.yaml configuration, which includes the hard-coded phpMyAdmin credentials. After deploying, phpMyAdmin can be accessed without authentication, and the vulnerability can be verified by dumping the database through the phpMyAdmin interface or via SQL injection.

Remediation

To address this vulnerability, Vvveb users should update to version 1.0.8.2 or later. After updating, remove any phpMyAdmin port mappings from the docker-compose file and run 'docker compose up -d' to apply the changes. If phpMyAdmin access is needed, it should be secured behind an authentication layer and only exposed on the internal Docker network.