YesWiki Second-Order SQL Injection via Unescaped Page Tag in API Controller
A critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) in YesWiki versions up to 4.6.5 allows a low-privilege authenticated attacker to execute arbitrary SQL commands via an unescaped page tag in the `ApiController::deletePage()` API, leading to time-based blind data exfiltration.
A critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) has been identified in YesWiki versions up to and including 4.6.5, affecting its ApiController::deletePage() API endpoint. This flaw allows a low-privilege authenticated attacker to execute arbitrary SQL commands within the wiki's database, leading to potential data exfiltration. The vulnerability occurs because the application, while correctly escaping SQL metacharacters upon initial insertion of a page tag (e.g., SleepTag' OR SLEEP(2)-- ) into the yeswiki_pages table, fails to re-escape this stored, attacker-controlled tag when it's later retrieved and used in a DELETE FROM ..._links WHERE to_tag = '$tag' query. This second-order behavior bypasses typical input validation and enables time-based blind data exfiltration of sensitive information like user credentials, private page content, and other database records. The issue is exposed via the DELETE /api/pages/{tag} route, which is accessible to any authenticated user.
Attack Chain
- Initial Compromise: A low-privilege authenticated user gains access to a YesWiki instance.
- Malicious Page Creation: The attacker sends a
POSTrequest to/api/pages/{tag}with a URL-encoded malicious tag (e.g.,SleepTag%27%20OR%20SLEEP(2)--%20) containing SQL metacharacters. This tag is stored unescaped in theyeswiki_pagesdatabase table. - Linker Page Creation: The attacker creates a second, benign page, for example,
LinkPoc, viaPOST /api/pages/LinkPoc. - Establish Link: The attacker updates the
LinkPocpage (e.g., via theLinkPoc/editweb editor handler) to include a reference to the malicious page using{{include page="<evil tag>"}}. This action causes the application to insert a row into theyeswiki_linkstable, establishing a link to the malicious page and storing its raw, unescaped tag asto_tag. - Vulnerability Trigger: The attacker sends a
DELETErequest to/api/pages/{evil-tag}for the malicious page. TheDELETErequest targets the same URL-encoded malicious tag as created in step 2. - SQL Injection Execution: During the deletion process, the YesWiki application retrieves the stored malicious tag from the database and uses it unescaped in an SQL query like
DELETE FROM yeswiki_links WHERE to_tag = '$tag'. The injected SQL (e.g.,OR SLEEP(2)--) is then executed within the database. - Data Exfiltration: By varying the injected SQL payload, such as using conditional
SLEEP()statements, the attacker can perform time-based blind data exfiltration of sensitive information from any accessible database table.
Impact
Successful exploitation of this vulnerability can lead to time-based blind exfiltration of sensitive data from the YesWiki database. This includes highly sensitive information such as user password hashes (_users.password), email addresses, Access Control List (ACL) configurations (_acls.list), private page bodies (_pages.body), and database session data. Given the "acl:+" access control, any authenticated user, regardless of their privilege level, can initiate this attack. The impact can range from unauthorized disclosure of user data to full compromise of the wiki's content and user base.
Recommendation
- Immediately patch YesWiki installations to the latest version to address GHSA-8f2v-2qhj-gfwg.
- Deploy the
Detect YesWiki SQLi Attempt via URL-encoded Single QuoteSigma rule to your SIEM and tune it for your environment. - Enable comprehensive webserver logging (e.g., access logs) for the
webservercategory to activate the provided Sigma rule.
Detection coverage 1
Detect YesWiki SQLi Attempt via URL-encoded Single Quote
highDetects attempts to exploit GHSA-8f2v-2qhj-gfwg, a second-order SQL injection in YesWiki, by identifying API requests with a URL-encoded single quote (%27) in the page tag parameter.
Detection queries are available on the platform. Get full rules →