YAFNET.Core (<= 4.0.4) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/yafnet.core--4.0.4/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:21:00 +0000YAFNET Pre-Handler Authorization Bypass Leads to SQL Injectionhttps://feed.craftedsignal.io/briefs/2024-01-yafnet-sqli/Wed, 03 Jan 2024 18:21:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-yafnet-sqli/YAFNET's flawed authorization allows low-privileged users to execute arbitrary SQL commands via the `/Admin/RunSql` endpoint, potentially leading to data exfiltration, application modification, and denial-of-service.YAFNET, a forum software, contains a critical vulnerability (CVE-2026-43937) related to its administrative authorization process. The PageSecurityCheckAttribute, intended to restrict access to admin functions, executes after the page handler, failing to prevent unauthorized actions. This flaw allows even low-privileged, registered users to access the /Admin/RunSql endpoint, which directly passes user-supplied input to the IDbAccess.RunSql function without proper validation. This results in blind SQL injection, allowing attackers to execute arbitrary SQL queries against the application database. The vulnerability affects YAFNET Core versions 4.0.4 and earlier. Exploitation is straightforward, requiring only a registered forum account and a single HTTP POST request, making it highly likely to be exploited.

Attack Chain

  1. A low-privileged user registers or logs into the YAFNET forum.
  2. The user obtains a valid __RequestVerificationToken and session cookies from any rendered page.
  3. The attacker crafts a malicious HTTP POST request to /Admin/RunSql?handler=RunQuery.
  4. The POST request includes a URL-encoded SQL payload in the Editor parameter, designed for blind SQL injection.
  5. The PageSecurityCheckAttribute fails to prevent execution of the OnPostRunQuery handler due to its late execution timing.
  6. The OnPostRunQuery handler passes the unsanitized Editor value directly to IDbAccess.RunSql.
  7. The attacker uses a time-based SQL injection technique, such as WAITFOR DELAY, to determine the output of SQL queries.
  8. The attacker exfiltrates sensitive data, modifies forum data, or performs a denial-of-service attack by manipulating the database.

Impact

Successful exploitation allows attackers with minimal privileges to gain full control over the application database, including sensitive user data, forum configurations, and identity stores. This can lead to full loss of Confidentiality, Integrity, and Availability. The impact escalates if the underlying SQL Server instance has xp_cmdshell or CLR integration enabled, potentially leading to OS-level command execution. Given the ease of exploitation and the severity of the potential impact, this vulnerability presents a significant risk to YAFNET deployments.

Recommendation

  • Implement the suggested remediation from the advisory by converting PageSecurityCheckAttribute to an IAsyncPageFilter to enforce authorization before handler execution.
  • Restrict /Admin/RunSql access to HostAdmin users only and implement a statement-type allow-list on IDbAccess.RunSql to prevent non-read-only SQL execution.
  • Deploy the Sigma rule Detect YAFNET SQL Injection Attempt to identify malicious SQL payloads within HTTP POST requests to /Admin/RunSql.
  • Enable webserver logging to capture HTTP POST requests for analysis and detection using the provided Sigma rule.
  • Patch YAFNET to a version beyond 4.0.4 to remediate CVE-2026-43937.
]]>criticaladvisorysql-injectionweb-applicationvulnerability