{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/yafnet.core--4.0.4/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["YAFNET.Core (\u003c= 4.0.4)"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eYAFNET, a forum software, contains a critical vulnerability (CVE-2026-43937) related to its administrative authorization process. The \u003ccode\u003ePageSecurityCheckAttribute\u003c/code\u003e, intended to restrict access to admin functions, executes after the page handler, failing to prevent unauthorized actions. This flaw allows even low-privileged, registered users to access the \u003ccode\u003e/Admin/RunSql\u003c/code\u003e endpoint, which directly passes user-supplied input to the \u003ccode\u003eIDbAccess.RunSql\u003c/code\u003e function without proper validation. This results in blind SQL injection, allowing attackers to execute arbitrary SQL queries against the application database. The vulnerability affects YAFNET Core versions 4.0.4 and earlier. Exploitation is straightforward, requiring only a registered forum account and a single HTTP POST request, making it highly likely to be exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged user registers or logs into the YAFNET forum.\u003c/li\u003e\n\u003cli\u003eThe user obtains a valid \u003ccode\u003e__RequestVerificationToken\u003c/code\u003e and session cookies from any rendered page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to \u003ccode\u003e/Admin/RunSql?handler=RunQuery\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a URL-encoded SQL payload in the \u003ccode\u003eEditor\u003c/code\u003e parameter, designed for blind SQL injection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePageSecurityCheckAttribute\u003c/code\u003e fails to prevent execution of the \u003ccode\u003eOnPostRunQuery\u003c/code\u003e handler due to its late execution timing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eOnPostRunQuery\u003c/code\u003e handler passes the unsanitized \u003ccode\u003eEditor\u003c/code\u003e value directly to \u003ccode\u003eIDbAccess.RunSql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a time-based SQL injection technique, such as \u003ccode\u003eWAITFOR DELAY\u003c/code\u003e, to determine the output of SQL queries.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, modifies forum data, or performs a denial-of-service attack by manipulating the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers with minimal privileges to gain full control over the application database, including sensitive user data, forum configurations, and identity stores. This can lead to full loss of Confidentiality, Integrity, and Availability. The impact escalates if the underlying SQL Server instance has \u003ccode\u003exp_cmdshell\u003c/code\u003e or CLR integration enabled, potentially leading to OS-level command execution. Given the ease of exploitation and the severity of the potential impact, this vulnerability presents a significant risk to YAFNET deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the suggested remediation from the advisory by converting \u003ccode\u003ePageSecurityCheckAttribute\u003c/code\u003e to an \u003ccode\u003eIAsyncPageFilter\u003c/code\u003e to enforce authorization before handler execution.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003e/Admin/RunSql\u003c/code\u003e access to \u003ccode\u003eHostAdmin\u003c/code\u003e users only and implement a statement-type allow-list on \u003ccode\u003eIDbAccess.RunSql\u003c/code\u003e to prevent non-read-only SQL execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect YAFNET SQL Injection Attempt\u003c/code\u003e to identify malicious SQL payloads within HTTP POST requests to \u003ccode\u003e/Admin/RunSql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP POST requests for analysis and detection using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003ePatch YAFNET to a version beyond 4.0.4 to remediate CVE-2026-43937.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:21:00Z","date_published":"2024-01-03T18:21:00Z","id":"/briefs/2024-01-yafnet-sqli/","summary":"YAFNET's flawed authorization allows low-privileged users to execute arbitrary SQL commands via the `/Admin/RunSql` endpoint, potentially leading to data exfiltration, application modification, and denial-of-service.","title":"YAFNET Pre-Handler Authorization Bypass Leads to SQL Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-yafnet-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — YAFNET.Core (\u003c= 4.0.4)","version":"https://jsonfeed.org/version/1.1"}