제출 #624972: Vvveb 1.0.5 Internal File Read정보

제목	Vvveb 1.0.5 Internal File Read
설명	Description The endpoint at [/vadmin123/index.php?module=editor/editor&url=/&template=index.html] is vulnerable to file read. The vulnerability allows you to read old Vvveb files that were previously being used by an older Vvveb version. Its current severity is low because I wasn't able to read sensitive files. Reproduce Login as an editor or any user with access to “Edit website” functionality. Open the following endpoint: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=/&template=index.html Change the path to this: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=index.html This will allow you to open files located at the following server path: /var/www/html/public/admin/default I found this file by searching for a keyword I had found on index.html [editor/editor&url=index.html]: find . -type f -exec grep -l 'Vvveb 0.2 is now available!' {} + This directly contains the following files: /var/www/html/public/admin/default # ls -la total 448 drwx-wx-wx 22 www-data www-data 4096 Jan 3 14:56 . drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:57 .. -rwx-wx-wx 1 www-data www-data 10173 Jan 3 14:56 LICENSE -rwx-wx-wx 1 www-data www-data 5378 Jan 3 14:56 README.md drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 admin drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:56 content drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 css drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 editor drwx-wx-wx 4 www-data www-data 4096 Jan 3 14:56 email -rwx-wx-wx 1 www-data www-data 73835 Jan 3 14:56 error403.html -rwx-wx-wx 1 www-data www-data 73408 Jan 3 14:56 error404.html -rwx-wx-wx 1 www-data www-data 74142 Jan 3 14:56 error500.html -rwx-wx-wx 1 www-data www-data 3150 Jan 3 14:56 favicon.ico drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 field drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 fields You can open files for reading. I was able to read package.json: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=package.json Some old files like systeminfo.html may provide information about old configuration used by the web app: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=tools/systeminfo.html
원천	⚠️ https://hkohi.ca/vulnerability/10
사용자	0xHamy (UID 88518)
제출	2025. 07. 29. PM 08:21 (9 개월 ago)
모더레이션	2025. 08. 04. AM 08:27 (6 days later)
상태	수락
VulDB 항목	318645 [givanz Vvveb 까지 1.0.5 Drag-and-Drop Editor editor url 정보 공개]
포인트들	20

◂ 이전 개요 다음 ▸

Do you know our Splunk app?

Download it now for free!