| शीर्षक | Vvveb CMS v1.0.8.1 ssrf |
|---|
| विवरण | The SSRF formation chain, code-level root cause, low-privilege reachability, and exploitation conditions of the backend editor endpoint /admin/index.php?module=editor/editor&action=oEmbedProxy
The low-privilege author role is granted editor/* by default
The IP restriction in validateUrl() is implemented incorrectly: it validates the full URL rather than the parsed hostname
Therefore, from a code-chain perspective, the complete formation path is:
A low-privilege backend account enters editor/editor
A request is made with action=oEmbedProxy
Editor::oEmbedProxy() directly reads $_GET['url']
getUrl() calls validateUrl()
validateUrl() attempts to block IPs, but the regex matches $url rather than $host
Addresses such as http://127.0.0.1/ and http://192.168.50.1/ bypass the validation
The server uses curl / file_get_contents to make the request and directly returns the response content to the attacker |
|---|
| स्रोत | ⚠️ https://github.com/myift/ideal-potato/blob/main/cve2/1/2/vvveb-editor-oembedproxy-ssrf-en.md |
|---|
| उपयोगकर्ता | myift (UID 86100) |
|---|
| सबमिशन | 22/04/2026 11:09 AM (2 महीनों पहले) |
|---|
| संयम | 16/05/2026 02:45 PM (24 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 358309 [givanz Vvveb तक 1.0.8.0 file URL getUrl अधिकार वृद्धि] |
|---|
| अंक | 0 |
|---|