Vvveb CMS Remote Code Execution Vulnerability in Media Management

A remote code execution vulnerability has been identified in Vvveb CMS version 1.0.8, specifically within the media management feature. The issue arises from a logic flaw in the file rename handler, where a missing return statement allows authenticated attackers to rename files with restricted extensions, such as .php or .htaccess. Exploitation involves uploading a text file, renaming it to .htaccess to inject Apache directives that enable PHP-executable MIME types, and then uploading another file, renaming it to .php, to execute arbitrary operating system commands as the www-data user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running as the www-data user.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a text file through the media management feature. After the file is uploaded, it can be renamed to .htaccess, which will inject Apache directives to register PHP-executable MIME types. Once this is done, another file can be uploaded and renamed to .php, allowing the execution of arbitrary operating system commands as the www-data user.

Remediation

Users can update to Vvveb CMS version 1.0.8.1, which addresses this vulnerability by preventing renaming files to restricted extensions.