Vvveb XML External Entity Injection Vulnerability in Import Tool Allows Arbitrary File Read and Database Modification

A XML External Entity (XXE) injection vulnerability has been identified in Vvveb versions prior to 1.0.8.2. The issue resides in the admin Tools/Import feature, where authenticated site_admin users can exploit the XML parser configuration to read arbitrary files and modify database records. The vulnerability arises because the XML parser is enabled to resolve external entity references, allowing attackers to inject file:// or php://filter entity references that are processed and saved into the application database. This exploitation can lead to unauthorized access to sensitive files and the ability to overwrite administrator password hashes, facilitating privilege escalation.

Impact

Exploitation of this vulnerability allows for arbitrary file read as the web server user, confirmed with sensitive files like the password file and PHP source files. Additionally, it enables a lateral move from site_admin to super_admin by overwriting the super_admin password with a known hash, allowing the attacker to log in as super_admin.

Reproduction

To reproduce this vulnerability, an authenticated site_admin user can upload a crafted XML file through the Tools/Import feature. The XML file must include an external entity reference pointing to a readable file, such as '/etc/passwd'. Once the file is uploaded, the resolved content can be accessed via the admin interface. To exploit the password overwriting aspect, the XML can be crafted to include a bcrypt hash of a known plaintext password, which, when uploaded, will replace the existing super_admin password hash.

Remediation

Users can update to Vvveb version 1.0.8.2 or later, where this vulnerability has been patched.