{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/htaccess/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41934"}],"_cs_exploited":false,"_cs_products":["Vvveb"],"_cs_severities":["critical"],"_cs_tags":["rce","htaccess","vvveb","CVE-2026-41934","attack.execution"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb versions prior to 1.0.8.2 are susceptible to an authenticated remote code execution vulnerability, identified as CVE-2026-41934. This flaw allows attackers with low-privilege accounts (editor, author, contributor, or site_admin) to execute arbitrary code on the server. The vulnerability stems from insufficient file extension restrictions in the admin code editor. An attacker can leverage this weakness to upload a specially crafted .htaccess file, which maps arbitrary file extensions to the PHP handler. Subsequently, they can upload a PHP file with the newly mapped extension. When this PHP file is accessed via HTTP, the server executes the embedded code, resulting in unauthenticated remote code execution. This poses a significant threat, as it enables attackers to compromise the entire web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the Vvveb application with editor, author, contributor, or site_admin privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the admin code editor within the Vvveb application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious .htaccess file that maps an arbitrary file extension (e.g., .test) to the PHP handler. The .htaccess file contains the line: \u003ccode\u003eAddType application/x-httpd-php .test\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker uses the admin code editor to upload the malicious .htaccess file to a publicly accessible directory on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PHP file containing malicious code and saves it with the file extension mapped in the .htaccess file (e.g., shell.test).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the PHP file (shell.test) to the same directory as the .htaccess file using the admin code editor.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file (e.g., \u003ccode\u003ehttp://example.com/path/to/shell.test\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server, due to the .htaccess configuration, interprets the .test file as PHP and executes the malicious code, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41934 allows an attacker to execute arbitrary code on the web server hosting Vvveb. This can lead to complete system compromise, data theft, defacement of the website, or further lateral movement within the network. The vulnerability affects all Vvveb instances running versions prior to 1.0.8.2. Due to the ease of exploitation, a wide range of Vvveb installations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.2 or later to patch CVE-2026-41934 immediately.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious .htaccess Uploads\u0026rdquo; to detect attempts to upload malicious .htaccess files via the webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to files with unusual extensions (e.g., .test, .custom) after the upload of .htaccess files to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Web Request for unusual file extensions\u0026rdquo; to detect requests to files with unusual file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-vvveb-rce/","summary":"Vvveb versions before 1.0.8.2 are vulnerable to authenticated remote code execution (RCE), enabling low-privilege users to execute arbitrary code by uploading a malicious .htaccess file and subsequently uploading PHP code with a mapped extension, resulting in unauthenticated RCE upon file access.","title":"Vvveb Authenticated Remote Code Execution via .htaccess Upload (CVE-2026-41934)","url":"https://feed.craftedsignal.io/briefs/2024-01-vvveb-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Htaccess","version":"https://jsonfeed.org/version/1.1"}