Vvveb Authenticated Remote Code Execution Vulnerability in Code Editor

A remote code execution vulnerability has been identified in Vvveb versions prior to 1.0.8.2. This vulnerability allows low-privilege authenticated users to execute arbitrary code by exploiting inadequate file extension restrictions in the admin code editor. Attackers with editor, author, contributor, or site_admin roles can manipulate a .htaccess file to redirect certain file types to the PHP handler, enabling the execution of PHP code when the file is accessed via HTTP.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, with the executed code running under the web server's user account.

Reproduction

To reproduce this vulnerability, log into the Vvveb admin panel as a user with an affected role (editor, author, contributor, or site_admin). Navigate to the code editor and upload a .htaccess file that redirects a file extension of your choice to the PHP handler. Then, upload a file with that extension containing PHP code. When the file is accessed through the web server, the PHP code will be executed, demonstrating the remote code execution vulnerability.

Remediation

Users can update to Vvveb version 1.0.8.2, where this vulnerability has been patched.