givanz
commented
4 months ago Thanks for the vulnerability report, it was previously reported https://github.com/givanz/VvvebJs/issues/339 and fixed in https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0 it is now also included in the last release https://github.com/givanz/VvvebJs/releases/tag/1.7.5
Hebing123
Summary
VvvebJs version 1.7.4 exhibits an arbitrary file upload vulnerability. An attacker can exploit this vulnerability to upload malicious files onto the server, potentially leading to the execution of arbitrary code under the context of the webserver.
Details
The vulnerability arises from the 'save.php' file as it fails to implement adequate checks on the types of files being uploaded. The 'sanitizeFileName' function is designed to remove any unsecured characters and parameters from the filename and restrict the file extension to '.html'. However, the function fails to validate the user input properly, allowing an attacker to bypass these checks. Here is the relevant code snippet: https://github.com/givanz/VvvebJs/blob/c6422cfd4d835c2fa6d512645e30015f24538ef0/save.php#L87-L89 In the code, $_POST['file'] takes user input without proper filtering or verification. The filename provided by user input is assigned to the $file variable, which ultimately gets uploaded to the server without going through sufficient security measures.
Proof of Concept (POC)
After uploading the attacker accesses the URL:http://192.168.160.147/demo/landing/index.php
Impact
Given that this is an arbitrary file upload vulnerability, an attacker can potentially upload any type of files, including malicious PHP scripts or web shells. After successful exploitation, an attacker may leverage the ability to execute arbitrary code in the context of the webserver, enabling them to carry out further attacks, potentially gaining unauthorized access to sensitive data or escalating their privileges on the server. It is highly recommended that developers patch this vulnerability promptly.