Vvveb Information Disclosure Vulnerability via Unhandled Exceptions in Password Reset Module

An information disclosure vulnerability exists in Vvveb versions prior to 1.0.8.2. This vulnerability allows unauthenticated attackers to access sensitive server information by triggering unhandled exceptions in the password-reset module. The issue arises because the module lacks a proper namespace import, causing a fatal error that is rendered through the debug exception handler. This exposed information includes the absolute server file path, internal class namespaces, line numbers, and excerpts of the source code, all through the admin password-reset endpoint.

Impact

Exploitation of this vulnerability reveals the absolute server file path, internal class namespaces, line numbers, and source code excerpts, particularly from the admin password-reset module. This kind of information disclosure can facilitate further attacks, such as log file poisoning, local file inclusion, and targeted manipulation of include paths. Additionally, the vulnerability allows for operational reconnaissance, confirming internal paths and class names without authentication, which could be exploited in future attacks.

Reproduction

To reproduce this vulnerability, access the admin password-reset module without authentication. The missing namespace import will cause a fatal error, which triggers the debug exception handler. This error response will include the absolute file path, the line number of the error, the source line where the error occurred, and the internal class namespace that caused the exception. This can be done manually or with a tool like Burp Suite by sending a GET request to the password-reset endpoint and removing the Cookie header to demonstrate that no authentication is required.

Remediation

Users can update to Vvveb version 1.0.8.2 or later, where this vulnerability has been patched. For immediate workaround, edit the 'env.php' file to set 'DEBUG' to false, and restart the PHP-FPM or Apache container.