Vvveb Remote Code Execution Vulnerability via Unrestricted File Upload
Vulnerability
A remote code execution vulnerability has been identified in Vvveb versions prior to 1.0.8.2. This issue arises from an unrestricted file upload feature in the media upload handler, which allows authenticated users with media-upload permissions to bypass extension restrictions. By uploading a .htaccess file to map .phtml extensions to the PHP handler, attackers can execute arbitrary PHP code. The vulnerability is exploited by sending an unauthenticated HTTP GET request to the uploaded .phtml file, leading to remote code execution with web server privileges.
Impact
Exploitation of this vulnerability allows for remote code execution on the server, executed with the privileges of the web server user.
Reproduction
To reproduce this vulnerability, an authenticated user with media-upload permissions can upload a .htaccess file that maps .phtml extensions to the PHP handler. After uploading a .phtml file containing arbitrary PHP code, the user can send an unauthenticated HTTP GET request to the uploaded file, triggering the execution of the PHP code on the server.
Remediation
Users are advised to update to Vvveb version 1.0.8.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.